From noreply at bro.org Sat Aug 1 00:00:16 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 1 Aug 2015 00:00:16 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508010700.t7170GIh004039@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ----------------------------------------------- BIT-1440 [1] Bro Daniel Thayer - 2015-07-31 2.5 Normal Remove perl from list of Bro build dependencies BIT-1439 [2] bro-aux Daniel Thayer - 2015-07-30 2.5 Normal bro-cut segfaults for some invalid logs Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ------------------------------------------------------------ #36 [3] bro jswaro [4] 2015-07-31 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [5] #5 [6] bro-plugins jswaro [7] 2015-07-26 Adding initial conversion of TCPRS to a plugin [8] #3 [9] bro-plugins albertzaharovits [10] 2015-07-17 Redis Log Writer [11] [1] BIT-1440 https://bro-tracker.atlassian.net/browse/BIT-1440 [2] BIT-1439 https://bro-tracker.atlassian.net/browse/BIT-1439 [3] Pull Request #36 https://github.com/bro/bro/pull/36 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [6] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [7] jswaro https://github.com/jswaro [8] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [9] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [10] albertzaharovits https://github.com/albertzaharovits [11] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master From noreply at bro.org Sun Aug 2 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 2 Aug 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508020700.t7270Mdg012826@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ----------------------------------------------- BIT-1440 [1] Bro Daniel Thayer - 2015-07-31 2.5 Normal Remove perl from list of Bro build dependencies BIT-1439 [2] bro-aux Daniel Thayer - 2015-07-30 2.5 Normal bro-cut segfaults for some invalid logs Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ------------------------------------------------------------ #36 [3] bro jswaro [4] 2015-07-31 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [5] #5 [6] bro-plugins jswaro [7] 2015-07-26 Adding initial conversion of TCPRS to a plugin [8] #3 [9] bro-plugins albertzaharovits [10] 2015-07-17 Redis Log Writer [11] [1] BIT-1440 https://bro-tracker.atlassian.net/browse/BIT-1440 [2] BIT-1439 https://bro-tracker.atlassian.net/browse/BIT-1439 [3] Pull Request #36 https://github.com/bro/bro/pull/36 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [6] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [7] jswaro https://github.com/jswaro [8] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [9] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [10] albertzaharovits https://github.com/albertzaharovits [11] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master From noreply at bro.org Mon Aug 3 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 3 Aug 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508030700.t7370Mqs031870@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ----------------------------------------------- BIT-1440 [1] Bro Daniel Thayer - 2015-07-31 2.5 Normal Remove perl from list of Bro build dependencies BIT-1439 [2] bro-aux Daniel Thayer - 2015-07-30 2.5 Normal bro-cut segfaults for some invalid logs Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ------------------------------------------------------------ #36 [3] bro jswaro [4] 2015-07-31 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [5] #5 [6] bro-plugins jswaro [7] 2015-07-26 Adding initial conversion of TCPRS to a plugin [8] #3 [9] bro-plugins albertzaharovits [10] 2015-08-03 Redis Log Writer [11] [1] BIT-1440 https://bro-tracker.atlassian.net/browse/BIT-1440 [2] BIT-1439 https://bro-tracker.atlassian.net/browse/BIT-1439 [3] Pull Request #36 https://github.com/bro/bro/pull/36 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [6] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [7] jswaro https://github.com/jswaro [8] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [9] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [10] albertzaharovits https://github.com/albertzaharovits [11] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master From jira at bro-tracker.atlassian.net Mon Aug 3 01:23:00 2015 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Mon, 3 Aug 2015 03:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1441) Logrotation cannot be set when using path_func In-Reply-To: References: Message-ID: Jan Grashoefer created BIT-1441: ----------------------------------- Summary: Logrotation cannot be set when using path_func Key: BIT-1441 URL: https://bro-tracker.atlassian.net/browse/BIT-1441 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Environment: SLC6, PF_RING, broctl Reporter: Jan Grashoefer I had a problem using Bro's filtering on my Bro cluster (using broctl). I wanted to create separate logfiles in JSON format for some streams. As the file name should include the current date, I specified a path_func. So far everything worked as expected. Then I tried to disable the logrotation for these files by setting interv = 0. Unfortunately this did not work. Setting a fixed path, disabling logrotation worked as intended (see [http://try.bro.org/#/trybro/saved/14143] an example of the code I used). I investigated this issue and think, I have discovered a problem. The rotation interval for a writer is determined in CreateWriter in manager.cc (see [https://github.com/bro/bro/blob/2b1cd66f17194a30b90490965cbdffdd71c18c09/src/logging/Manager.cc#L1064]) based on the filter. The filter again is determined by writer and path (I don't understand why the name of the filter is not used but there may be reasons). To see whether the interval is set correctly I added some debug output here. Then I did a test specifying a filter for HTTP using path_func and a filter for CONN using a fixed path. On my worker I get the expected output (except the interval seems wrong): {quote} 0.000000/1437813255.656896 [logging] Set interval for 'packet_filter' (filter 'default') to '86400.000000' 0.000000/1437813255.658523 [logging] Set interval for 'loaded_scripts' (filter 'default') to '86400.000000' 0.000000/1437813255.685123 [logging] Set interval for 'communication' (filter 'default') to '86400.000000' 1437813255.644956/1437813255.709181 [logging] Set interval for 'stats' (filter 'default') to '86400.000000' 1437813255.644965/1437813255.710468 [logging] Set interval for 'weird' (filter 'default') to '86400.000000' 1437813255.822196/1437813255.834760 [logging] Set interval for 'reporter' (filter 'default') to '86400.000000' 1437813256.015793/1437813256.027556 [logging] Set interval for 'software' (filter 'default') to '86400.000000' 1437813256.015793/1437813256.039455 [logging] Set interval for 'files' (filter 'default') to '86400.000000' 1437813256.015793/1437813256.040269 [logging] Set interval for 'http' (filter 'default') to '86400.000000' 1437813256.015793/1437813256.040504 [logging] Set interval for '/var/opt/bro/logs-json/http-2015-07-25' (filter 'http_json') to '0.000000' 1437813257.512453/1437813257.523782 [logging] Set interval for 'x509' (filter 'default') to '86400.000000' 1437813260.645607/1437813260.656385 [logging] Set interval for 'conn' (filter 'default') to '86400.000000' 1437813260.645607/1437813260.656526 [logging] Set interval for '/var/opt/bro/logs-json/conn' (filter 'conn_json') to '0.000000' 1437813262.827012/1437813262.839179 [logging] Set interval for 'dns' (filter 'default') to '86400.000000' 1437813263.401981/1437813263.411552 [logging] Set interval for 'ssl' (filter 'default') to '86400.000000' 1437813293.565530/1437813293.575182 [logging] Set interval for 'kerberos' (filter 'default') to '86400.000000'{quote} But on the manager I get the following: {quote}1437813085.377826/1437813085.387819 [logging] Set interval for 'loaded_scripts' (filter 'default') to '3600.000000' 1437813085.377826/1437813085.400927 [logging] Set interval for 'communication' (filter 'default') to '3600.000000' 1437813089.408731/1437813089.409921 [logging] Set interval for 'reporter' (filter '') to '3600.000000' 1437813089.410046/1437813089.411141 [logging] Set interval for 'weird' (filter '') to '3600.000000' 1437813089.410046/1437813089.411314 [logging] Set interval for 'packet_filter' (filter '') to '3600.000000' 1437813089.411802/1437813089.412948 [logging] Set interval for 'stats' (filter '') to '3600.000000' 1437813089.444066/1437813089.445155 [logging] Set interval for 'files' (filter '') to '3600.000000' 1437813089.453163/1437813089.454249 [logging] Set interval for 'software' (filter '') to '3600.000000' 1437813089.472973/1437813089.474123 [logging] Set interval for 'dns' (filter '') to '3600.000000' 1437813089.507522/1437813089.508617 [logging] Set default interval for '/var/opt/bro/logs-json/http-2015-07-25' (filter '') 1437813089.508759/1437813089.509852 [logging] Set interval for 'http' (filter '') to '3600.000000' 1437813089.523751/1437813089.524868 [logging] Set interval for 'x509' (filter '') to '3600.000000', 1437813089.983185/1437813089.984342 [logging] Set interval for 'ssl' (filter '') to '3600.000000' 1437813093.316215/1437813093.317350 [logging] Set interval for 'ftp' (filter '') to '3600.000000' 1437813094.076354/1437813094.077442 [logging] Set interval for 'conn' (filter '') to '3600.000000' 1437813094.077580/1437813094.078657 [logging] Set interval for '/var/opt/bro/logs-json/conn' (filter '') to '0.000000' 1437813100.949465/1437813100.950567 [logging] Set interval for 'syslog' (filter '') to '3600.000000'{quote} On the manager you can see, that for all worker-generated logs the filter is not known and that the interval for my HTTP-JSON log is set to the default value (Note: The instantiating filter is not known because it is not set in the call in SendAllWritersTo - see [https://github.com/bro/bro/blob/2b1cd66f17194a30b90490965cbdffdd71c18c09/src/logging/Manager.cc#L1174]). So why does it work on the worker? Its because the path of the filter is determined and set during the write: The first write triggers determining the path by the filter. Then the writer is created and path of writer and filter match. The writers on the manager seem to be created without a write and therefore the filter cannot be determined. At first I tried to fix the issue by using the name of the filter but as seen in the debug output, the name is not set. I also thought about setting the interval using the WriterBackend::WriterInfo, which is passed to CreateWriter and has a field for the interval, but there is also the postprocessor set in the CreateWriter method. Unfortunately I don't understand how logging is distributed between manager and worker in detail, so I do not know how I can fix this issue. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Aug 3 10:26:00 2015 From: jira at bro-tracker.atlassian.net (Bill Parker (JIRA)) Date: Mon, 3 Aug 2015 12:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1442) Prevent possible segmentation violation/faults in Bro-2.3.2 In-Reply-To: References: Message-ID: Bill Parker created BIT-1442: -------------------------------- Summary: Prevent possible segmentation violation/faults in Bro-2.3.2 Key: BIT-1442 URL: https://bro-tracker.atlassian.net/browse/BIT-1442 Project: Bro Issue Tracker Issue Type: Patch Components: bro-aux, Broccoli Affects Versions: 2.3 Environment: Linux/Windows/BSD, etc Reporter: Bill Parker Attachments: bro.c.patch, SubnetTree_wrap.cc.patch Hello All, In reviewing calls to memset() in Bro-2.3.2, I came across a pair of instances where memset could POSSIBLY be called with a address area pointing to NULL, which would generate a segmentation violation/fault during execution. The patch files below should address these issues: In directory 'bro-2.3.2/aux/broctl/aux/pysubnettree', file 'SubnetTree_wrap.cc': --- SubnetTree_wrap.cc.orig 2015-08-02 18:56:24.034212101 -0400 +++ SubnetTree_wrap.cc 2015-08-02 18:59:11.242212101 -0400 @@ -719,6 +719,8 @@ SWIG_UnpackDataName(const char *c, void *ptr, size_t sz, const char *name) { if (*c != '_') { if (strcmp(c,"NULL") == 0) { + if (ptr == NULL) /* on off chance that ptr is NULL, memset() */ + return 0; /* will segment violation/fault, so return 0 */ memset(ptr,0,sz); return name; } else { In directory 'bro-2.3.2/aux/broccoli/src', file 'bro.c': --- bro.c.orig 2015-08-02 19:04:00.161212101 -0400 +++ bro.c 2015-08-02 19:05:15.608212101 -0400 @@ -367,6 +367,9 @@ void bro_ctx_init(BroCtx *ctx) { + if (! ctx) /* paranoid, ctx must NOT be NULL */ + return; + memset(ctx, 0, sizeof(BroCtx)); } Comments, Questions, Suggestions, Complaints :) I am attaching the patch file(s) to this bug report... Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Tue Aug 4 00:00:35 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 4 Aug 2015 00:00:35 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508040700.t7470Z37012217@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ----------------------------------------------- BIT-1440 [1] Bro Daniel Thayer - 2015-07-31 2.5 Normal Remove perl from list of Bro build dependencies BIT-1439 [2] bro-aux Daniel Thayer - 2015-07-30 2.5 Normal bro-cut segfaults for some invalid logs Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ------------------------------------------ 33cebe1 [3] bro Daniel Thayer 2015-08-03 Fix a test that is failing very frequently Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ------------------------------------------------------------ #36 [4] bro jswaro [5] 2015-07-31 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [6] #5 [7] bro-plugins jswaro [8] 2015-07-26 Adding initial conversion of TCPRS to a plugin [9] #3 [10] bro-plugins albertzaharovits [11] 2015-08-03 Redis Log Writer [12] [1] BIT-1440 https://bro-tracker.atlassian.net/browse/BIT-1440 [2] BIT-1439 https://bro-tracker.atlassian.net/browse/BIT-1439 [3] 33cebe1 https://github.com/bro/bro/commit/33cebe11500177706e33e8055109e28411472f27 [4] Pull Request #36 https://github.com/bro/bro/pull/36 [5] jswaro https://github.com/jswaro [6] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [7] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [8] jswaro https://github.com/jswaro [9] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [10] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [11] albertzaharovits https://github.com/albertzaharovits [12] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master From jira at bro-tracker.atlassian.net Tue Aug 4 13:46:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 4 Aug 2015 15:46:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1443) pcap files with screwy timestamps hang bro In-Reply-To: References: Message-ID: Justin Azoff created BIT-1443: --------------------------------- Summary: pcap files with screwy timestamps hang bro Key: BIT-1443 URL: https://bro-tracker.atlassian.net/browse/BIT-1443 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Justin Azoff Priority: Low Attachments: hang.pcap {code} $ tcpdump -n -tt -r hang.pcap reading from file hang.pcap, link-type EN10MB (Ethernet) 1425182592.408334 IP 192.168.2.151.51354 > 192.168.2.1.53: 33466+ PTR? 8.8.8.8.in-addr.arpa. (38) 2884800384.410797 IP 192.168.2.1.53 > 192.168.2.151.51354: 41658 1/0/0 PTR google-public-dns-a.google.com. (82) {code} hangs bro in or around {code}iosource::Manager::FindSoonest{code} -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Aug 4 13:59:01 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 4 Aug 2015 15:59:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1441) Logrotation cannot be set when using path_func In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1441: ------------------------------ Attachment: path_func_bug.bro > Logrotation cannot be set when using path_func > ---------------------------------------------- > > Key: BIT-1441 > URL: https://bro-tracker.atlassian.net/browse/BIT-1441 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: SLC6, PF_RING, broctl > Reporter: Jan Grashoefer > Attachments: path_func_bug.bro > > > I had a problem using Bro's filtering on my Bro cluster (using broctl). I wanted to create separate logfiles in JSON format for some streams. As the file name should include the current date, I specified a path_func. So far everything worked as expected. Then I tried to disable the logrotation for these files by setting interv = 0. Unfortunately this did not work. Setting a fixed path, disabling logrotation worked as intended (see [http://try.bro.org/#/trybro/saved/14143] an example of the code I used). > I investigated this issue and think, I have discovered a problem. The rotation interval for a writer is determined in CreateWriter in manager.cc (see [https://github.com/bro/bro/blob/2b1cd66f17194a30b90490965cbdffdd71c18c09/src/logging/Manager.cc#L1064]) based on the filter. The filter again is determined by writer and path (I don't understand why the name of the filter is not used but there may be reasons). To see whether the interval is set correctly I added some debug output here. Then I did a test specifying a filter for HTTP using path_func and a filter for CONN using a fixed path. > On my worker I get the expected output (except the interval seems wrong): > {quote} 0.000000/1437813255.656896 [logging] Set interval for 'packet_filter' (filter 'default') to '86400.000000' > 0.000000/1437813255.658523 [logging] Set interval for 'loaded_scripts' (filter 'default') to '86400.000000' > 0.000000/1437813255.685123 [logging] Set interval for 'communication' (filter 'default') to '86400.000000' > 1437813255.644956/1437813255.709181 [logging] Set interval for 'stats' (filter 'default') to '86400.000000' > 1437813255.644965/1437813255.710468 [logging] Set interval for 'weird' (filter 'default') to '86400.000000' > 1437813255.822196/1437813255.834760 [logging] Set interval for 'reporter' (filter 'default') to '86400.000000' > 1437813256.015793/1437813256.027556 [logging] Set interval for 'software' (filter 'default') to '86400.000000' > 1437813256.015793/1437813256.039455 [logging] Set interval for 'files' (filter 'default') to '86400.000000' > 1437813256.015793/1437813256.040269 [logging] Set interval for 'http' (filter 'default') to '86400.000000' > 1437813256.015793/1437813256.040504 [logging] Set interval for '/var/opt/bro/logs-json/http-2015-07-25' (filter 'http_json') to '0.000000' > 1437813257.512453/1437813257.523782 [logging] Set interval for 'x509' (filter 'default') to '86400.000000' > 1437813260.645607/1437813260.656385 [logging] Set interval for 'conn' (filter 'default') to '86400.000000' > 1437813260.645607/1437813260.656526 [logging] Set interval for '/var/opt/bro/logs-json/conn' (filter 'conn_json') to '0.000000' > 1437813262.827012/1437813262.839179 [logging] Set interval for 'dns' (filter 'default') to '86400.000000' > 1437813263.401981/1437813263.411552 [logging] Set interval for 'ssl' (filter 'default') to '86400.000000' > 1437813293.565530/1437813293.575182 [logging] Set interval for 'kerberos' (filter 'default') to '86400.000000'{quote} > But on the manager I get the following: > {quote}1437813085.377826/1437813085.387819 [logging] Set interval for 'loaded_scripts' (filter 'default') to '3600.000000' > 1437813085.377826/1437813085.400927 [logging] Set interval for 'communication' (filter 'default') to '3600.000000' > 1437813089.408731/1437813089.409921 [logging] Set interval for 'reporter' (filter '') to '3600.000000' > 1437813089.410046/1437813089.411141 [logging] Set interval for 'weird' (filter '') to '3600.000000' > 1437813089.410046/1437813089.411314 [logging] Set interval for 'packet_filter' (filter '') to '3600.000000' > 1437813089.411802/1437813089.412948 [logging] Set interval for 'stats' (filter '') to '3600.000000' > 1437813089.444066/1437813089.445155 [logging] Set interval for 'files' (filter '') to '3600.000000' > 1437813089.453163/1437813089.454249 [logging] Set interval for 'software' (filter '') to '3600.000000' > 1437813089.472973/1437813089.474123 [logging] Set interval for 'dns' (filter '') to '3600.000000' > 1437813089.507522/1437813089.508617 [logging] Set default interval for '/var/opt/bro/logs-json/http-2015-07-25' (filter '') > 1437813089.508759/1437813089.509852 [logging] Set interval for 'http' (filter '') to '3600.000000' > 1437813089.523751/1437813089.524868 [logging] Set interval for 'x509' (filter '') to '3600.000000', > 1437813089.983185/1437813089.984342 [logging] Set interval for 'ssl' (filter '') to '3600.000000' > 1437813093.316215/1437813093.317350 [logging] Set interval for 'ftp' (filter '') to '3600.000000' > 1437813094.076354/1437813094.077442 [logging] Set interval for 'conn' (filter '') to '3600.000000' > 1437813094.077580/1437813094.078657 [logging] Set interval for '/var/opt/bro/logs-json/conn' (filter '') to '0.000000' > 1437813100.949465/1437813100.950567 [logging] Set interval for 'syslog' (filter '') to '3600.000000'{quote} > On the manager you can see, that for all worker-generated logs the filter is not known and that the interval for my HTTP-JSON log is set to the default value (Note: The instantiating filter is not known because it is not set in the call in SendAllWritersTo - see [https://github.com/bro/bro/blob/2b1cd66f17194a30b90490965cbdffdd71c18c09/src/logging/Manager.cc#L1174]). So why does it work on the worker? Its because the path of the filter is determined and set during the write: The first write triggers determining the path by the filter. Then the writer is created and path of writer and filter match. The writers on the manager seem to be created without a write and therefore the filter cannot be determined. > At first I tried to fix the issue by using the name of the filter but as seen in the debug output, the name is not set. I also thought about setting the interval using the WriterBackend::WriterInfo, which is passed to CreateWriter and has a field for the interval, but there is also the postprocessor set in the CreateWriter method. Unfortunately I don't understand how logging is distributed between manager and worker in detail, so I do not know how I can fix this issue. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Aug 4 13:59:01 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 4 Aug 2015 15:59:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1441) Logrotation cannot be set when using path_func In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21500#comment-21500 ] Justin Azoff commented on BIT-1441: ----------------------------------- files on try.bro.org eventually expire, so I uploaded it here so it does not get lost. > Logrotation cannot be set when using path_func > ---------------------------------------------- > > Key: BIT-1441 > URL: https://bro-tracker.atlassian.net/browse/BIT-1441 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: SLC6, PF_RING, broctl > Reporter: Jan Grashoefer > Attachments: path_func_bug.bro > > > I had a problem using Bro's filtering on my Bro cluster (using broctl). I wanted to create separate logfiles in JSON format for some streams. As the file name should include the current date, I specified a path_func. So far everything worked as expected. Then I tried to disable the logrotation for these files by setting interv = 0. Unfortunately this did not work. Setting a fixed path, disabling logrotation worked as intended (see [http://try.bro.org/#/trybro/saved/14143] an example of the code I used). > I investigated this issue and think, I have discovered a problem. The rotation interval for a writer is determined in CreateWriter in manager.cc (see [https://github.com/bro/bro/blob/2b1cd66f17194a30b90490965cbdffdd71c18c09/src/logging/Manager.cc#L1064]) based on the filter. The filter again is determined by writer and path (I don't understand why the name of the filter is not used but there may be reasons). To see whether the interval is set correctly I added some debug output here. Then I did a test specifying a filter for HTTP using path_func and a filter for CONN using a fixed path. > On my worker I get the expected output (except the interval seems wrong): > {quote} 0.000000/1437813255.656896 [logging] Set interval for 'packet_filter' (filter 'default') to '86400.000000' > 0.000000/1437813255.658523 [logging] Set interval for 'loaded_scripts' (filter 'default') to '86400.000000' > 0.000000/1437813255.685123 [logging] Set interval for 'communication' (filter 'default') to '86400.000000' > 1437813255.644956/1437813255.709181 [logging] Set interval for 'stats' (filter 'default') to '86400.000000' > 1437813255.644965/1437813255.710468 [logging] Set interval for 'weird' (filter 'default') to '86400.000000' > 1437813255.822196/1437813255.834760 [logging] Set interval for 'reporter' (filter 'default') to '86400.000000' > 1437813256.015793/1437813256.027556 [logging] Set interval for 'software' (filter 'default') to '86400.000000' > 1437813256.015793/1437813256.039455 [logging] Set interval for 'files' (filter 'default') to '86400.000000' > 1437813256.015793/1437813256.040269 [logging] Set interval for 'http' (filter 'default') to '86400.000000' > 1437813256.015793/1437813256.040504 [logging] Set interval for '/var/opt/bro/logs-json/http-2015-07-25' (filter 'http_json') to '0.000000' > 1437813257.512453/1437813257.523782 [logging] Set interval for 'x509' (filter 'default') to '86400.000000' > 1437813260.645607/1437813260.656385 [logging] Set interval for 'conn' (filter 'default') to '86400.000000' > 1437813260.645607/1437813260.656526 [logging] Set interval for '/var/opt/bro/logs-json/conn' (filter 'conn_json') to '0.000000' > 1437813262.827012/1437813262.839179 [logging] Set interval for 'dns' (filter 'default') to '86400.000000' > 1437813263.401981/1437813263.411552 [logging] Set interval for 'ssl' (filter 'default') to '86400.000000' > 1437813293.565530/1437813293.575182 [logging] Set interval for 'kerberos' (filter 'default') to '86400.000000'{quote} > But on the manager I get the following: > {quote}1437813085.377826/1437813085.387819 [logging] Set interval for 'loaded_scripts' (filter 'default') to '3600.000000' > 1437813085.377826/1437813085.400927 [logging] Set interval for 'communication' (filter 'default') to '3600.000000' > 1437813089.408731/1437813089.409921 [logging] Set interval for 'reporter' (filter '') to '3600.000000' > 1437813089.410046/1437813089.411141 [logging] Set interval for 'weird' (filter '') to '3600.000000' > 1437813089.410046/1437813089.411314 [logging] Set interval for 'packet_filter' (filter '') to '3600.000000' > 1437813089.411802/1437813089.412948 [logging] Set interval for 'stats' (filter '') to '3600.000000' > 1437813089.444066/1437813089.445155 [logging] Set interval for 'files' (filter '') to '3600.000000' > 1437813089.453163/1437813089.454249 [logging] Set interval for 'software' (filter '') to '3600.000000' > 1437813089.472973/1437813089.474123 [logging] Set interval for 'dns' (filter '') to '3600.000000' > 1437813089.507522/1437813089.508617 [logging] Set default interval for '/var/opt/bro/logs-json/http-2015-07-25' (filter '') > 1437813089.508759/1437813089.509852 [logging] Set interval for 'http' (filter '') to '3600.000000' > 1437813089.523751/1437813089.524868 [logging] Set interval for 'x509' (filter '') to '3600.000000', > 1437813089.983185/1437813089.984342 [logging] Set interval for 'ssl' (filter '') to '3600.000000' > 1437813093.316215/1437813093.317350 [logging] Set interval for 'ftp' (filter '') to '3600.000000' > 1437813094.076354/1437813094.077442 [logging] Set interval for 'conn' (filter '') to '3600.000000' > 1437813094.077580/1437813094.078657 [logging] Set interval for '/var/opt/bro/logs-json/conn' (filter '') to '0.000000' > 1437813100.949465/1437813100.950567 [logging] Set interval for 'syslog' (filter '') to '3600.000000'{quote} > On the manager you can see, that for all worker-generated logs the filter is not known and that the interval for my HTTP-JSON log is set to the default value (Note: The instantiating filter is not known because it is not set in the call in SendAllWritersTo - see [https://github.com/bro/bro/blob/2b1cd66f17194a30b90490965cbdffdd71c18c09/src/logging/Manager.cc#L1174]). So why does it work on the worker? Its because the path of the filter is determined and set during the write: The first write triggers determining the path by the filter. Then the writer is created and path of writer and filter match. The writers on the manager seem to be created without a write and therefore the filter cannot be determined. > At first I tried to fix the issue by using the name of the filter but as seen in the debug output, the name is not set. I also thought about setting the interval using the WriterBackend::WriterInfo, which is passed to CreateWriter and has a field for the interval, but there is also the postprocessor set in the CreateWriter method. Unfortunately I don't understand how logging is distributed between manager and worker in detail, so I do not know how I can fix this issue. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Wed Aug 5 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 5 Aug 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508050700.t7570LgZ017738@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ----------------------------------------------- BIT-1440 [1] Bro Daniel Thayer - 2015-07-31 2.5 Normal Remove perl from list of Bro build dependencies BIT-1439 [2] bro-aux Daniel Thayer - 2015-07-30 2.5 Normal bro-cut segfaults for some invalid logs Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ------------------------------------------ 33cebe1 [3] bro Daniel Thayer 2015-08-03 Fix a test that is failing very frequently Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ------------------------------------------------------------ #36 [4] bro jswaro [5] 2015-07-31 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [6] #5 [7] bro-plugins jswaro [8] 2015-07-26 Adding initial conversion of TCPRS to a plugin [9] #3 [10] bro-plugins albertzaharovits [11] 2015-08-03 Redis Log Writer [12] [1] BIT-1440 https://bro-tracker.atlassian.net/browse/BIT-1440 [2] BIT-1439 https://bro-tracker.atlassian.net/browse/BIT-1439 [3] 33cebe1 https://github.com/bro/bro/commit/33cebe11500177706e33e8055109e28411472f27 [4] Pull Request #36 https://github.com/bro/bro/pull/36 [5] jswaro https://github.com/jswaro [6] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [7] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [8] jswaro https://github.com/jswaro [9] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [10] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [11] albertzaharovits https://github.com/albertzaharovits [12] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master From jira at bro-tracker.atlassian.net Wed Aug 5 07:01:00 2015 From: jira at bro-tracker.atlassian.net (Jimmy Jones (JIRA)) Date: Wed, 5 Aug 2015 09:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1444) Connection logging for ESP In-Reply-To: References: Message-ID: Jimmy Jones created BIT-1444: -------------------------------- Summary: Connection logging for ESP Key: BIT-1444 URL: https://bro-tracker.atlassian.net/browse/BIT-1444 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: Jimmy Jones I'd like to be able to track ESP (IPSec) connections in conn.log. Although ESP is encrypted, the ability to track volumes and pattern of life etc would be beneficial when doing intrusion analysis. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Thu Aug 6 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 6 Aug 2015 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508060700.t7670KNM006667@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ----------------------------------------------- BIT-1440 [1] Bro Daniel Thayer - 2015-07-31 2.5 Normal Remove perl from list of Bro build dependencies BIT-1439 [2] bro-aux Daniel Thayer - 2015-07-30 2.5 Normal bro-cut segfaults for some invalid logs Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ------------------------------------------ 33cebe1 [3] bro Daniel Thayer 2015-08-03 Fix a test that is failing very frequently Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ------------------------------------------------------------ #39 [4] bro balintm [5] 2015-08-05 Teredo dpd signature extended [6] #36 [7] bro jswaro [8] 2015-07-31 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [9] #5 [10] bro-plugins jswaro [11] 2015-07-26 Adding initial conversion of TCPRS to a plugin [12] #3 [13] bro-plugins albertzaharovits [14] 2015-08-03 Redis Log Writer [15] [1] BIT-1440 https://bro-tracker.atlassian.net/browse/BIT-1440 [2] BIT-1439 https://bro-tracker.atlassian.net/browse/BIT-1439 [3] 33cebe1 https://github.com/bro/bro/commit/33cebe11500177706e33e8055109e28411472f27 [4] Pull Request #39 https://github.com/bro/bro/pull/39 [5] balintm https://github.com/balintm [6] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master [7] Pull Request #36 https://github.com/bro/bro/pull/36 [8] jswaro https://github.com/jswaro [9] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [10] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [11] jswaro https://github.com/jswaro [12] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [13] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [14] albertzaharovits https://github.com/albertzaharovits [15] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master From noreply at bro.org Fri Aug 7 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 7 Aug 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508070700.t7770LXJ003690@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ----------------------------------------------- BIT-1440 [1] Bro Daniel Thayer - 2015-07-31 2.5 Normal Remove perl from list of Bro build dependencies BIT-1439 [2] bro-aux Daniel Thayer - 2015-07-30 2.5 Normal bro-cut segfaults for some invalid logs Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ------------------------------------------ 33cebe1 [3] bro Daniel Thayer 2015-08-03 Fix a test that is failing very frequently Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ------------------------------------------------------------ #39 [4] bro balintm [5] 2015-08-05 Teredo dpd signature extended [6] #36 [7] bro jswaro [8] 2015-07-31 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [9] #5 [10] bro-plugins jswaro [11] 2015-07-26 Adding initial conversion of TCPRS to a plugin [12] #3 [13] bro-plugins albertzaharovits [14] 2015-08-03 Redis Log Writer [15] [1] BIT-1440 https://bro-tracker.atlassian.net/browse/BIT-1440 [2] BIT-1439 https://bro-tracker.atlassian.net/browse/BIT-1439 [3] 33cebe1 https://github.com/bro/bro/commit/33cebe11500177706e33e8055109e28411472f27 [4] Pull Request #39 https://github.com/bro/bro/pull/39 [5] balintm https://github.com/balintm [6] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master [7] Pull Request #36 https://github.com/bro/bro/pull/36 [8] jswaro https://github.com/jswaro [9] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [10] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [11] jswaro https://github.com/jswaro [12] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [13] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [14] albertzaharovits https://github.com/albertzaharovits [15] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master From jira at bro-tracker.atlassian.net Fri Aug 7 18:04:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 7 Aug 2015 20:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1440) Remove perl from list of Bro build dependencies In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1440?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1440: ------------------------------ Status: Closed (was: Merge Request) > Remove perl from list of Bro build dependencies > ----------------------------------------------- > > Key: BIT-1440 > URL: https://bro-tracker.atlassian.net/browse/BIT-1440 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Fix For: 2.5 > > > Currently, perl is required to build Bro due to one small perl script. > Since that script doesn't rely on any special features of perl, it can > easily be rewritten to avoid the dependency on perl. This is mostly > relevant for FreeBSD, where perl is not installed by default. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Fri Aug 7 18:05:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 7 Aug 2015 20:05:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1439) bro-cut segfaults for some invalid logs In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1439?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1439: ------------------------------ Status: Closed (was: Merge Request) > bro-cut segfaults for some invalid logs > --------------------------------------- > > Key: BIT-1439 > URL: https://bro-tracker.atlassian.net/browse/BIT-1439 > Project: Bro Issue Tracker > Issue Type: Problem > Components: bro-aux > Reporter: Daniel Thayer > Fix For: 2.5 > > > Justin was testing bro-cut and found a few cases where an invalid log file > could trigger a segfault. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Sat Aug 8 00:00:18 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 8 Aug 2015 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508080700.t7870I4a000550@bro-ids.icir.org> Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ------------------------------------------ 33cebe1 [1] bro Daniel Thayer 2015-08-03 Fix a test that is failing very frequently Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ------------------------------------------------------------ #39 [2] bro balintm [3] 2015-08-07 Teredo dpd signature extended [4] #36 [5] bro jswaro [6] 2015-07-31 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [7] #5 [8] bro-plugins jswaro [9] 2015-07-26 Adding initial conversion of TCPRS to a plugin [10] [1] 33cebe1 https://github.com/bro/bro/commit/33cebe11500177706e33e8055109e28411472f27 [2] Pull Request #39 https://github.com/bro/bro/pull/39 [3] balintm https://github.com/balintm [4] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master [5] Pull Request #36 https://github.com/bro/bro/pull/36 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [8] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [9] jswaro https://github.com/jswaro [10] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From noreply at bro.org Sun Aug 9 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 9 Aug 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508090700.t7970LK4011134@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ------------------------------------------------------------ #39 [1] bro balintm [2] 2015-08-07 Teredo dpd signature extended [3] #36 [4] bro jswaro [5] 2015-07-31 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [6] #5 [7] bro-plugins jswaro [8] 2015-07-26 Adding initial conversion of TCPRS to a plugin [9] [1] Pull Request #39 https://github.com/bro/bro/pull/39 [2] balintm https://github.com/balintm [3] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master [4] Pull Request #36 https://github.com/bro/bro/pull/36 [5] jswaro https://github.com/jswaro [6] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [7] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [8] jswaro https://github.com/jswaro [9] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From noreply at bro.org Mon Aug 10 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 10 Aug 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508100700.t7A70Mw1002572@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- ------------------------------------------------------------ #40 [1] bro knielander [2] 2015-08-09 Enable linux fanout mode with Bro [3] #39 [4] bro balintm [5] 2015-08-07 Teredo dpd signature extended [6] #36 [7] bro jswaro [8] 2015-07-31 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [9] #5 [10] bro-plugins jswaro [11] 2015-07-26 Adding initial conversion of TCPRS to a plugin [12] [1] Pull Request #40 https://github.com/bro/bro/pull/40 [2] knielander https://github.com/knielander [3] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [4] Pull Request #39 https://github.com/bro/bro/pull/39 [5] balintm https://github.com/balintm [6] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master [7] Pull Request #36 https://github.com/bro/bro/pull/36 [8] jswaro https://github.com/jswaro [9] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [10] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [11] jswaro https://github.com/jswaro [12] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From jira at bro-tracker.atlassian.net Mon Aug 10 12:08:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 10 Aug 2015 14:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1445) Broker crash when two stores go to the same SQLite DB In-Reply-To: References: Message-ID: Robin Sommer created BIT-1445: --------------------------------- Summary: Broker crash when two stores go to the same SQLite DB Key: BIT-1445 URL: https://bro-tracker.atlassian.net/browse/BIT-1445 Project: Bro Issue Tracker Issue Type: Problem Components: Broker Affects Versions: 2.4 Reporter: Robin Sommer Fix For: 2.5 This crashes Bro: {code} [...] local s = BrokerStore::create_master("BroCon", BrokerStore::SQLITE); local t = BrokerStore::create_master("BroCon2", BrokerStore::SQLITE); [...] {code} Both stores go to the same file because the 3rd parameter with the file name is optional and defaults to {{store.sqlite}}; and that is a problem. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Aug 10 12:10:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 10 Aug 2015 14:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1446) Remove the dummy Broker framework In-Reply-To: References: Message-ID: Robin Sommer created BIT-1446: --------------------------------- Summary: Remove the dummy Broker framework Key: BIT-1446 URL: https://bro-tracker.atlassian.net/browse/BIT-1446 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Environment: For unit testing with Broker disabled, there's currently a dummy script-level framework to fill in. Unfortunately that dummy framework is the one that ends up getting documented, overriding the the actual one. Now that Broker is mandatory, we should just remove the dummy. Reporter: Robin Sommer Fix For: 2.5 -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Aug 10 12:12:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 10 Aug 2015 14:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1447) Can't abort blocking Broker Python functions In-Reply-To: References: Message-ID: Robin Sommer created BIT-1447: --------------------------------- Summary: Can't abort blocking Broker Python functions Key: BIT-1447 URL: https://bro-tracker.atlassian.net/browse/BIT-1447 Project: Bro Issue Tracker Issue Type: Problem Components: Broker Affects Versions: 2.4 Reporter: Robin Sommer Fix For: 2.5 When one of Broker's Python functions block, one can't abort with CTRL-C. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Aug 10 12:16:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 10 Aug 2015 14:16:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1448) Improve Bro's Broker API. In-Reply-To: References: Message-ID: Robin Sommer created BIT-1448: --------------------------------- Summary: Improve Bro's Broker API. Key: BIT-1448 URL: https://bro-tracker.atlassian.net/browse/BIT-1448 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Robin Sommer Fix For: 2.5 There are a couple things that would be nice to improve with Bro's Broker framework: - avoid having to use {{when}} for lookups. - avoid having to wrap/unwrap values into/from {{data}} values. These will need some thought, though, as there are reasons why things are the way they are. :) -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Aug 10 12:20:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 10 Aug 2015 14:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1449) Wrap Broker Bifs into script-level functions In-Reply-To: References: Message-ID: Robin Sommer created BIT-1449: --------------------------------- Summary: Wrap Broker Bifs into script-level functions Key: BIT-1449 URL: https://bro-tracker.atlassian.net/browse/BIT-1449 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Robin Sommer Fix For: 2.5 When working with Broker in Bro, one currently calls its bifs directly. That works just fine, but is a problem for documentation: the bifs are defined outside of the Broker framework, splitting the information across two places. We should do here what other framework do: rename the Bifs to have internal-only names ({{__}}) and then provide wrapper functions inside the framework that just forward to those internals ones. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Aug 10 12:23:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 10 Aug 2015 14:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1450) Improve Python API In-Reply-To: References: Message-ID: Robin Sommer created BIT-1450: --------------------------------- Summary: Improve Python API Key: BIT-1450 URL: https://bro-tracker.atlassian.net/browse/BIT-1450 Project: Bro Issue Tracker Issue Type: Problem Components: Broker Affects Versions: 2.4 Reporter: Robin Sommer Fix For: 2.5 The Python API is a bit cumbersome still as it requires (1) manually wrapping values with {{data}} instances, and (2) also generally reflects C semantics a bit too much, leading to some "unPythonic" idioms. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Aug 10 12:47:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 10 Aug 2015 14:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1451) File extraction limits broken In-Reply-To: References: Message-ID: Seth Hall created BIT-1451: ------------------------------ Summary: File extraction limits broken Key: BIT-1451 URL: https://bro-tracker.atlassian.net/browse/BIT-1451 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master, 2.4 Reporter: Seth Hall As reported by Jason Batchelor on the mailing list, Bro 2.4 doesn't seem to be respecting file extraction limits. I suspect this is due to the file reassembly changes that went into Bro 2.4. We need to create a test case for this situation once we figure out how to reliably make it fail. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Aug 10 12:49:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 10 Aug 2015 14:49:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1451) File extraction limits broken In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1451?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1451: ------------------------------ Fix Version/s: 2.5 > File extraction limits broken > ----------------------------- > > Key: BIT-1451 > URL: https://bro-tracker.atlassian.net/browse/BIT-1451 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.4 > Reporter: Seth Hall > Fix For: 2.5 > > > As reported by Jason Batchelor on the mailing list, Bro 2.4 doesn't seem to be respecting file extraction limits. I suspect this is due to the file reassembly changes that went into Bro 2.4. We need to create a test case for this situation once we figure out how to reliably make it fail. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Tue Aug 11 00:00:17 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 11 Aug 2015 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508110700.t7B70HEI031333@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- ------------------------------------- #40 [1] bro knielander [2] 2015-08-09 Enable linux fanout mode with Bro [3] #39 [4] bro balintm [5] 2015-08-10 Teredo dpd signature extended [6] [1] Pull Request #40 https://github.com/bro/bro/pull/40 [2] knielander https://github.com/knielander [3] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [4] Pull Request #39 https://github.com/bro/bro/pull/39 [5] balintm https://github.com/balintm [6] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master From jira at bro-tracker.atlassian.net Tue Aug 11 10:26:01 2015 From: jira at bro-tracker.atlassian.net (Jamal Tarik James (JIRA)) Date: Tue, 11 Aug 2015 12:26:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1452) CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. In-Reply-To: References: Message-ID: Jamal Tarik James created BIT-1452: -------------------------------------- Summary: CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. Key: BIT-1452 URL: https://bro-tracker.atlassian.net/browse/BIT-1452 Project: Bro Issue Tracker Issue Type: Problem Components: BinPAC, Bro, bro-aux, Broccoli, broccoli-python, broccoli-ruby, BroControl, Broker, Capstats, Documentation, pysubnettree, TicketTracker, trace-summary, VAST, Website Affects Versions: 2.3, 2.2, 2.1, 2.0, 1.5.4, 1.5.3, 1.5.1, 1.5.2, git/master, 2.4, 2.5, 2.6 Environment: POSSIBLE FIXES AND UPDATES TO THIS CURRENT ISSUE Reporter: Jamal Tarik James NUMEROUS CYBER ESPIONAGE INTRUSION ISSUE MALICIOUS CODING AND SCREENING MISUSE OF MANY LOCATION ENVIRONMENTS CURRENTLY BEING SETUP AS A WAY TO GAIN ACCESS TO USERS VITAL INFORMATION PASSWORDS ETC.. AND VARIOUS OTHER CLASSIFIED DATA BEWARE OF THE ABILITY TO INFILTRATE THE LOCATIONS BY THERE MISS INFORMATION AND OTHER FOOLISHLY DESIGNED SPYING AND COWARDLY DISGUISES TO CONDUCT SUCH WIDESPREAD ESPIONAGE GATHERING AND OTHER CYBER ISSUES THAT MAY GO UNDETECTED. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Aug 11 11:59:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 11 Aug 2015 13:59:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1452) CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1452?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1452: ------------------------------ Resolution: Invalid Status: Closed (was: Open) > CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1452 > URL: https://bro-tracker.atlassian.net/browse/BIT-1452 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro, bro-aux, Broccoli, broccoli-python, broccoli-ruby, BroControl, Broker, Capstats, Documentation, pysubnettree, TicketTracker, trace-summary, VAST, Website > Affects Versions: 1.5.2, 1.5.1, git/master, 1.5.3, 1.5.4, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6 > Environment: POSSIBLE FIXES AND UPDATES TO THIS CURRENT ISSUE > Reporter: Jamal Tarik James > > NUMEROUS CYBER ESPIONAGE INTRUSION ISSUE MALICIOUS CODING AND SCREENING MISUSE OF MANY LOCATION ENVIRONMENTS CURRENTLY BEING SETUP AS A WAY TO GAIN ACCESS TO USERS VITAL INFORMATION PASSWORDS ETC.. AND VARIOUS OTHER CLASSIFIED DATA BEWARE OF THE ABILITY TO INFILTRATE THE LOCATIONS BY THERE MISS INFORMATION AND OTHER FOOLISHLY DESIGNED SPYING AND COWARDLY DISGUISES TO CONDUCT SUCH WIDESPREAD ESPIONAGE GATHERING AND OTHER CYBER ISSUES THAT MAY GO UNDETECTED. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Aug 11 12:13:00 2015 From: jira at bro-tracker.atlassian.net (Jamal Tarik James (JIRA)) Date: Tue, 11 Aug 2015 14:13:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1452) CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21600#comment-21600 ] Jamal Tarik James commented on BIT-1452: ---------------------------------------- THINK HAHAHA > CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1452 > URL: https://bro-tracker.atlassian.net/browse/BIT-1452 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro, bro-aux, Broccoli, broccoli-python, broccoli-ruby, BroControl, Broker, Capstats, Documentation, pysubnettree, TicketTracker, trace-summary, VAST, Website > Affects Versions: 1.5.2, 1.5.1, git/master, 1.5.3, 1.5.4, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6 > Environment: POSSIBLE FIXES AND UPDATES TO THIS CURRENT ISSUE > Reporter: Jamal Tarik James > > NUMEROUS CYBER ESPIONAGE INTRUSION ISSUE MALICIOUS CODING AND SCREENING MISUSE OF MANY LOCATION ENVIRONMENTS CURRENTLY BEING SETUP AS A WAY TO GAIN ACCESS TO USERS VITAL INFORMATION PASSWORDS ETC.. AND VARIOUS OTHER CLASSIFIED DATA BEWARE OF THE ABILITY TO INFILTRATE THE LOCATIONS BY THERE MISS INFORMATION AND OTHER FOOLISHLY DESIGNED SPYING AND COWARDLY DISGUISES TO CONDUCT SUCH WIDESPREAD ESPIONAGE GATHERING AND OTHER CYBER ISSUES THAT MAY GO UNDETECTED. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Aug 11 12:14:00 2015 From: jira at bro-tracker.atlassian.net (Jamal Tarik James (JIRA)) Date: Tue, 11 Aug 2015 14:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1452) CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1452?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jamal Tarik James updated BIT-1452: ----------------------------------- Status: Reopened (was: Closed) Resolution: (was: Invalid) > CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1452 > URL: https://bro-tracker.atlassian.net/browse/BIT-1452 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro, bro-aux, Broccoli, broccoli-python, broccoli-ruby, BroControl, Broker, Capstats, Documentation, pysubnettree, TicketTracker, trace-summary, VAST, Website > Affects Versions: 1.5.2, 1.5.1, git/master, 1.5.3, 1.5.4, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6 > Environment: POSSIBLE FIXES AND UPDATES TO THIS CURRENT ISSUE > Reporter: Jamal Tarik James > > NUMEROUS CYBER ESPIONAGE INTRUSION ISSUE MALICIOUS CODING AND SCREENING MISUSE OF MANY LOCATION ENVIRONMENTS CURRENTLY BEING SETUP AS A WAY TO GAIN ACCESS TO USERS VITAL INFORMATION PASSWORDS ETC.. AND VARIOUS OTHER CLASSIFIED DATA BEWARE OF THE ABILITY TO INFILTRATE THE LOCATIONS BY THERE MISS INFORMATION AND OTHER FOOLISHLY DESIGNED SPYING AND COWARDLY DISGUISES TO CONDUCT SUCH WIDESPREAD ESPIONAGE GATHERING AND OTHER CYBER ISSUES THAT MAY GO UNDETECTED. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Aug 11 12:14:00 2015 From: jira at bro-tracker.atlassian.net (Jamal Tarik James (JIRA)) Date: Tue, 11 Aug 2015 14:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1452) CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21601#comment-21601 ] Jamal Tarik James commented on BIT-1452: ---------------------------------------- AND EXPOSED THERE ENTIRE CYBERCRIME > CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1452 > URL: https://bro-tracker.atlassian.net/browse/BIT-1452 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro, bro-aux, Broccoli, broccoli-python, broccoli-ruby, BroControl, Broker, Capstats, Documentation, pysubnettree, TicketTracker, trace-summary, VAST, Website > Affects Versions: 1.5.2, 1.5.1, git/master, 1.5.3, 1.5.4, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6 > Environment: POSSIBLE FIXES AND UPDATES TO THIS CURRENT ISSUE > Reporter: Jamal Tarik James > > NUMEROUS CYBER ESPIONAGE INTRUSION ISSUE MALICIOUS CODING AND SCREENING MISUSE OF MANY LOCATION ENVIRONMENTS CURRENTLY BEING SETUP AS A WAY TO GAIN ACCESS TO USERS VITAL INFORMATION PASSWORDS ETC.. AND VARIOUS OTHER CLASSIFIED DATA BEWARE OF THE ABILITY TO INFILTRATE THE LOCATIONS BY THERE MISS INFORMATION AND OTHER FOOLISHLY DESIGNED SPYING AND COWARDLY DISGUISES TO CONDUCT SUCH WIDESPREAD ESPIONAGE GATHERING AND OTHER CYBER ISSUES THAT MAY GO UNDETECTED. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Aug 11 12:14:00 2015 From: jira at bro-tracker.atlassian.net (Jamal Tarik James (JIRA)) Date: Tue, 11 Aug 2015 14:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1452) CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1452?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jamal Tarik James updated BIT-1452: ----------------------------------- Status: In Progress (was: Reopened) > CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1452 > URL: https://bro-tracker.atlassian.net/browse/BIT-1452 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro, bro-aux, Broccoli, broccoli-python, broccoli-ruby, BroControl, Broker, Capstats, Documentation, pysubnettree, TicketTracker, trace-summary, VAST, Website > Affects Versions: 1.5.2, 1.5.1, git/master, 1.5.3, 1.5.4, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6 > Environment: POSSIBLE FIXES AND UPDATES TO THIS CURRENT ISSUE > Reporter: Jamal Tarik James > > NUMEROUS CYBER ESPIONAGE INTRUSION ISSUE MALICIOUS CODING AND SCREENING MISUSE OF MANY LOCATION ENVIRONMENTS CURRENTLY BEING SETUP AS A WAY TO GAIN ACCESS TO USERS VITAL INFORMATION PASSWORDS ETC.. AND VARIOUS OTHER CLASSIFIED DATA BEWARE OF THE ABILITY TO INFILTRATE THE LOCATIONS BY THERE MISS INFORMATION AND OTHER FOOLISHLY DESIGNED SPYING AND COWARDLY DISGUISES TO CONDUCT SUCH WIDESPREAD ESPIONAGE GATHERING AND OTHER CYBER ISSUES THAT MAY GO UNDETECTED. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Aug 11 12:25:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Tue, 11 Aug 2015 14:25:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1452) CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1452?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1452: --------------------------- Resolution: Rejected Status: Closed (was: In Progress) I'm not even sure where to start... > CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1452 > URL: https://bro-tracker.atlassian.net/browse/BIT-1452 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro, bro-aux, Broccoli, broccoli-python, broccoli-ruby, BroControl, Broker, Capstats, Documentation, pysubnettree, TicketTracker, trace-summary, VAST, Website > Affects Versions: 1.5.2, 1.5.1, git/master, 1.5.3, 1.5.4, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6 > Environment: POSSIBLE FIXES AND UPDATES TO THIS CURRENT ISSUE > Reporter: Jamal Tarik James > > NUMEROUS CYBER ESPIONAGE INTRUSION ISSUE MALICIOUS CODING AND SCREENING MISUSE OF MANY LOCATION ENVIRONMENTS CURRENTLY BEING SETUP AS A WAY TO GAIN ACCESS TO USERS VITAL INFORMATION PASSWORDS ETC.. AND VARIOUS OTHER CLASSIFIED DATA BEWARE OF THE ABILITY TO INFILTRATE THE LOCATIONS BY THERE MISS INFORMATION AND OTHER FOOLISHLY DESIGNED SPYING AND COWARDLY DISGUISES TO CONDUCT SUCH WIDESPREAD ESPIONAGE GATHERING AND OTHER CYBER ISSUES THAT MAY GO UNDETECTED. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Aug 11 12:27:02 2015 From: jira at bro-tracker.atlassian.net (Jamal Tarik James (JIRA)) Date: Tue, 11 Aug 2015 14:27:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1452) CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1452?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jamal Tarik James updated BIT-1452: ----------------------------------- Status: Reopened (was: Closed) Resolution: (was: Rejected) > CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1452 > URL: https://bro-tracker.atlassian.net/browse/BIT-1452 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro, bro-aux, Broccoli, broccoli-python, broccoli-ruby, BroControl, Broker, Capstats, Documentation, pysubnettree, TicketTracker, trace-summary, VAST, Website > Affects Versions: 1.5.2, 1.5.1, git/master, 1.5.3, 1.5.4, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6 > Environment: POSSIBLE FIXES AND UPDATES TO THIS CURRENT ISSUE > Reporter: Jamal Tarik James > > NUMEROUS CYBER ESPIONAGE INTRUSION ISSUE MALICIOUS CODING AND SCREENING MISUSE OF MANY LOCATION ENVIRONMENTS CURRENTLY BEING SETUP AS A WAY TO GAIN ACCESS TO USERS VITAL INFORMATION PASSWORDS ETC.. AND VARIOUS OTHER CLASSIFIED DATA BEWARE OF THE ABILITY TO INFILTRATE THE LOCATIONS BY THERE MISS INFORMATION AND OTHER FOOLISHLY DESIGNED SPYING AND COWARDLY DISGUISES TO CONDUCT SUCH WIDESPREAD ESPIONAGE GATHERING AND OTHER CYBER ISSUES THAT MAY GO UNDETECTED. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Aug 11 12:42:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Tue, 11 Aug 2015 14:42:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1452) CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1452?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1452: --------------------------- Resolution: Invalid Status: Closed (was: Reopened) > CYBER INTRUSION SPY SCREENING AND NUMEROUS FILE DATA TRANSMISSION MALICIOUS CODES TARGETS ETC.. ALL APSECT OF MALICIOUS INTENT AND MISUSE OF THE CYBER SPACE INFRASTRUCTURE. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1452 > URL: https://bro-tracker.atlassian.net/browse/BIT-1452 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro, bro-aux, Broccoli, broccoli-python, broccoli-ruby, BroControl, Broker, Capstats, Documentation, pysubnettree, TicketTracker, trace-summary, VAST, Website > Affects Versions: 1.5.2, 1.5.1, git/master, 1.5.3, 1.5.4, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6 > Environment: POSSIBLE FIXES AND UPDATES TO THIS CURRENT ISSUE > Reporter: Jamal Tarik James > > NUMEROUS CYBER ESPIONAGE INTRUSION ISSUE MALICIOUS CODING AND SCREENING MISUSE OF MANY LOCATION ENVIRONMENTS CURRENTLY BEING SETUP AS A WAY TO GAIN ACCESS TO USERS VITAL INFORMATION PASSWORDS ETC.. AND VARIOUS OTHER CLASSIFIED DATA BEWARE OF THE ABILITY TO INFILTRATE THE LOCATIONS BY THERE MISS INFORMATION AND OTHER FOOLISHLY DESIGNED SPYING AND COWARDLY DISGUISES TO CONDUCT SUCH WIDESPREAD ESPIONAGE GATHERING AND OTHER CYBER ISSUES THAT MAY GO UNDETECTED. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Wed Aug 12 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 12 Aug 2015 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508120700.t7C70KmU006752@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- ------------------------------------- #40 [1] bro knielander [2] 2015-08-11 Enable linux fanout mode with Bro [3] #39 [4] bro balintm [5] 2015-08-10 Teredo dpd signature extended [6] [1] Pull Request #40 https://github.com/bro/bro/pull/40 [2] knielander https://github.com/knielander [3] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [4] Pull Request #39 https://github.com/bro/bro/pull/39 [5] balintm https://github.com/balintm [6] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master From jira at bro-tracker.atlassian.net Wed Aug 12 13:30:00 2015 From: jira at bro-tracker.atlassian.net (earl eiland (JIRA)) Date: Wed, 12 Aug 2015 15:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: earl eiland created BIT-1453: -------------------------------- Summary: Input::add_table is not properly reading in sets Key: BIT-1453 URL: https://bro-tracker.atlassian.net/browse/BIT-1453 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Environment: ArchLinux on VMware Reporter: earl eiland I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). The The table key consists of two addresses, node_A and node_B. My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: #fields node_A node_B layer_3_4 service xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns xxx.yyy.zzz are valid IP address values. It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Aug 12 13:42:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 12 Aug 2015 15:42:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1453: ---------------------------------- Assignee: Johanna Amann > Input::add_table is not properly reading in sets > ------------------------------------------------ > > Key: BIT-1453 > URL: https://bro-tracker.atlassian.net/browse/BIT-1453 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: ArchLinux on VMware > Reporter: earl eiland > Assignee: Johanna Amann > Labels: Input::add_table > > I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? > Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). > The > The table key consists of two addresses, node_A and node_B. > My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: > #fields node_A node_B layer_3_4 service > xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns > xxx.yyy.zzz are valid IP address values. > It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Aug 12 13:53:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 12 Aug 2015 15:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1453: ------------------------------- Attachment: input.log input.bro > Input::add_table is not properly reading in sets > ------------------------------------------------ > > Key: BIT-1453 > URL: https://bro-tracker.atlassian.net/browse/BIT-1453 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: ArchLinux on VMware > Reporter: earl eiland > Assignee: Johanna Amann > Labels: Input::add_table > Attachments: input.bro, input.log > > > I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? > Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). > The > The table key consists of two addresses, node_A and node_B. > My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: > #fields node_A node_B layer_3_4 service > xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns > xxx.yyy.zzz are valid IP address values. > It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Aug 12 13:53:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 12 Aug 2015 15:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21603#comment-21603 ] Johanna Amann commented on BIT-1453: ------------------------------------ Hello Earl, I am sorry, but I cannot reproduce your bug. I tried to create a log file and a bro script reading it according to your report and everything seems to work fine (working files uploaded to the bug as input.bro and input.log) To reproduce this, could you please upload the exact source file that you used to this ticket (or send it to me directly at johanna @ bro.org), in the optimal case including the script file that you are using? Thank you, Johanna > Input::add_table is not properly reading in sets > ------------------------------------------------ > > Key: BIT-1453 > URL: https://bro-tracker.atlassian.net/browse/BIT-1453 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: ArchLinux on VMware > Reporter: earl eiland > Assignee: Johanna Amann > Labels: Input::add_table > Attachments: input.bro, input.log > > > I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? > Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). > The > The table key consists of two addresses, node_A and node_B. > My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: > #fields node_A node_B layer_3_4 service > xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns > xxx.yyy.zzz are valid IP address values. > It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Aug 12 13:57:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 12 Aug 2015 15:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1394) Github commit seems to have possible configure issues? In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1394?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1394: ------------------------------- Resolution: Solved Status: Closed (was: Open) > Github commit seems to have possible configure issues? > ------------------------------------------------------ > > Key: BIT-1394 > URL: https://bro-tracker.atlassian.net/browse/BIT-1394 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: * Dell C6220 (PER blade: 128GB of ram | 2 socket | 16 cores per socket | 2-10G cards) > * Ubuntu 14.04.2 LTS system > * Feeding in 20Gb/s links > * PF_RING-6.0.3 compiled into /opt/pfring > Packages installed from base (other than SSH during select-install): > build-essential libnuma-dev pkg-config cmake make gcc g++ swig flex bison libpcap-dev libgeoip-dev libssl-dev python-dev zlib1g-dev libmagic-dev swig2.0 libgoogle-perftools-dev google-perftools libxml2-dev libcurl4-gnutls-dev mailutils > Have also added GeoIP databases manually. > pfring loaded with modprobe: > modprobe pf_ring enable_tx_capture=0 min_num_slots=32768 > Reporter: Ventz Petkov > Priority: Low > Attachments: CMakeOutput.log > > > When checking out latest master branch (https://github.com/bro/bro/commit/1e66c6718a98675fb838205a5e55220e9794eeb7), and given the above environment, error at configure: > ######################################################## > bro# ./configure --with-pcap=/opt/pfring > Build Directory : build > Source Directory: /root/install/bro > CMake Error at CMakeLists.txt:7 (include): > include could not find load file: > cmake/CommonCMakeConfig.cmake > CMake Error at CMakeLists.txt:52 (include): > include could not find load file: > FindRequiredPackage > -- Found sed: /bin/sed > CMake Error at CMakeLists.txt:64 (FindRequiredPackage): > Unknown CMake command "FindRequiredPackage". > -- Configuring incomplete, errors occurred! > See also "/root/install/bro/build/CMakeFiles/CMakeOutput.log". > ######################################################## > Attaching log file "CMakeOutput.log" -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Aug 12 14:18:00 2015 From: jira at bro-tracker.atlassian.net (earl eiland (JIRA)) Date: Wed, 12 Aug 2015 16:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] earl eiland updated BIT-1453: ----------------------------- Attachment: model2.log.txt Hello, Johanna. It's a bit of a problem to send the logfile. But the attached text file contains an excerpt, plus the actual error messages and the script. Earl > Input::add_table is not properly reading in sets > ------------------------------------------------ > > Key: BIT-1453 > URL: https://bro-tracker.atlassian.net/browse/BIT-1453 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: ArchLinux on VMware > Reporter: earl eiland > Assignee: Johanna Amann > Labels: Input::add_table > Attachments: input.bro, input.log, model2.log.txt > > > I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? > Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). > The > The table key consists of two addresses, node_A and node_B. > My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: > #fields node_A node_B layer_3_4 service > xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns > xxx.yyy.zzz are valid IP address values. > It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Aug 12 14:29:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 12 Aug 2015 16:29:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21605#comment-21605 ] Johanna Amann commented on BIT-1453: ------------------------------------ Sorry, I still cannot reproduce this. Running your exact script using your exact file from model2.log.txt works flawlessly for me. What version of Bro are you using? Could you please cross-check that in the actual file that you use, there are all tabs in the #fields line? (In your example in model2.log.txt, they are -- so I assume they are in your real data too, just crossing all t's). > Input::add_table is not properly reading in sets > ------------------------------------------------ > > Key: BIT-1453 > URL: https://bro-tracker.atlassian.net/browse/BIT-1453 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: ArchLinux on VMware > Reporter: earl eiland > Assignee: Johanna Amann > Labels: Input::add_table > Attachments: input.bro, input.log, model2.log.txt > > > I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? > Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). > The > The table key consists of two addresses, node_A and node_B. > My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: > #fields node_A node_B layer_3_4 service > xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns > xxx.yyy.zzz are valid IP address values. > It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Thu Aug 13 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 13 Aug 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508130700.t7D70LHF030976@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- ------------------------------------- #40 [1] bro knielander [2] 2015-08-11 Enable linux fanout mode with Bro [3] #39 [4] bro balintm [5] 2015-08-13 Teredo dpd signature extended [6] [1] Pull Request #40 https://github.com/bro/bro/pull/40 [2] knielander https://github.com/knielander [3] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [4] Pull Request #39 https://github.com/bro/bro/pull/39 [5] balintm https://github.com/balintm [6] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master From jira at bro-tracker.atlassian.net Thu Aug 13 03:59:01 2015 From: jira at bro-tracker.atlassian.net (earl eiland (JIRA)) Date: Thu, 13 Aug 2015 05:59:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21606#comment-21606 ] earl eiland commented on BIT-1453: ---------------------------------- I'm running version 2.4-20, Johanna. Earl > Input::add_table is not properly reading in sets > ------------------------------------------------ > > Key: BIT-1453 > URL: https://bro-tracker.atlassian.net/browse/BIT-1453 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: ArchLinux on VMware > Reporter: earl eiland > Assignee: Johanna Amann > Labels: Input::add_table > Attachments: input.bro, input.log, model2.log.txt > > > I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? > Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). > The > The table key consists of two addresses, node_A and node_B. > My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: > #fields node_A node_B layer_3_4 service > xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns > xxx.yyy.zzz are valid IP address values. > It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Aug 13 07:54:01 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 13 Aug 2015 09:54:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21607#comment-21607 ] Daniel Thayer commented on BIT-1453: ------------------------------------ I can reproduce those errors. The problem is that the file "model2.log.txt" contains newline characters that do not match those used in Linux (perhaps you created the file on another OS, and then copied it over to your Linux machine?). If you look at the file using the "vi" editor in Linux, you can see "^M" characters at the end of each line. If you remove those, then the errors disappear. > Input::add_table is not properly reading in sets > ------------------------------------------------ > > Key: BIT-1453 > URL: https://bro-tracker.atlassian.net/browse/BIT-1453 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: ArchLinux on VMware > Reporter: earl eiland > Assignee: Johanna Amann > Labels: Input::add_table > Attachments: input.bro, input.log, model2.log.txt > > > I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? > Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). > The > The table key consists of two addresses, node_A and node_B. > My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: > #fields node_A node_B layer_3_4 service > xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns > xxx.yyy.zzz are valid IP address values. > It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Aug 13 08:03:00 2015 From: jira at bro-tracker.atlassian.net (earl eiland (JIRA)) Date: Thu, 13 Aug 2015 10:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21608#comment-21608 ] earl eiland commented on BIT-1453: ---------------------------------- Thanks, Daniel. I'm using python's csv writer -- in Linux, but clearly, it's adding a newline. Thanks for the analysis! When I've figured out the correct csv.writer() parameter, I'll share it with the community. Earl > Input::add_table is not properly reading in sets > ------------------------------------------------ > > Key: BIT-1453 > URL: https://bro-tracker.atlassian.net/browse/BIT-1453 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: ArchLinux on VMware > Reporter: earl eiland > Assignee: Johanna Amann > Labels: Input::add_table > Attachments: input.bro, input.log, model2.log.txt > > > I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? > Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). > The > The table key consists of two addresses, node_A and node_B. > My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: > #fields node_A node_B layer_3_4 service > xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns > xxx.yyy.zzz are valid IP address values. > It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Aug 13 08:54:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 13 Aug 2015 10:54:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21609#comment-21609 ] Johanna Amann commented on BIT-1453: ------------------------------------ Great, thank you -- I just copied it over and forgot to look at the newlines in the original file. > Input::add_table is not properly reading in sets > ------------------------------------------------ > > Key: BIT-1453 > URL: https://bro-tracker.atlassian.net/browse/BIT-1453 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: ArchLinux on VMware > Reporter: earl eiland > Assignee: Johanna Amann > Labels: Input::add_table > Attachments: input.bro, input.log, model2.log.txt > > > I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? > Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). > The > The table key consists of two addresses, node_A and node_B. > My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: > #fields node_A node_B layer_3_4 service > xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns > xxx.yyy.zzz are valid IP address values. > It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Aug 13 08:55:01 2015 From: jira at bro-tracker.atlassian.net (earl eiland (JIRA)) Date: Thu, 13 Aug 2015 10:55:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21610#comment-21610 ] earl eiland commented on BIT-1453: ---------------------------------- If you're writing bro input files with python and using csv, then csv.writer must have the correct parameters. For example, write_model = csv.writer(model_file, delimiter='\x09', lineterminator = '\n') These settings place tabs between the columns and terminate lines with the newline character. Earl > Input::add_table is not properly reading in sets > ------------------------------------------------ > > Key: BIT-1453 > URL: https://bro-tracker.atlassian.net/browse/BIT-1453 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: ArchLinux on VMware > Reporter: earl eiland > Assignee: Johanna Amann > Labels: Input::add_table > Attachments: input.bro, input.log, model2.log.txt > > > I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? > Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). > The > The table key consists of two addresses, node_A and node_B. > My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: > #fields node_A node_B layer_3_4 service > xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns > xxx.yyy.zzz are valid IP address values. > It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Aug 13 08:55:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 13 Aug 2015 10:55:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1453) Input::add_table is not properly reading in sets In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1453: ------------------------------- Resolution: Solved Status: Closed (was: Open) > Input::add_table is not properly reading in sets > ------------------------------------------------ > > Key: BIT-1453 > URL: https://bro-tracker.atlassian.net/browse/BIT-1453 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: ArchLinux on VMware > Reporter: earl eiland > Assignee: Johanna Amann > Labels: Input::add_table > Attachments: input.bro, input.log, model2.log.txt > > > I?m reading a table into a script. The table includes two sets in the values fields. When executing the script, I?m getting the error message ?Did not find requested field service in input data file model2.log? > Following the example in bro/testing/btest/scripts/base/frameworks/input/setseparator.bro, I?ve redefined the set separator as ?|? (redef InputAscii::set_separator = "|";). > The > The table key consists of two addresses, node_A and node_B. > My value inputs consist of two sets, which can consist of just a single value; all fields are separated by tabs. The first two lines of my input file are: > #fields node_A node_B layer_3_4 service > xxx.yyy.zzz.30 xxx.yyy.255.255 udp dns > xxx.yyy.zzz are valid IP address values. > It appears that the strings ?udp? and ?dns? are both being read as part of the layer_3_4 set. Since they are separated by a tab instead of ?|?, they should be interpreted as separate fields. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Fri Aug 14 00:00:19 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 14 Aug 2015 00:00:19 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508140700.t7E70J1n026683@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- ------------------------------------- #40 [1] bro knielander [2] 2015-08-11 Enable linux fanout mode with Bro [3] #39 [4] bro balintm [5] 2015-08-13 Teredo dpd signature extended [6] [1] Pull Request #40 https://github.com/bro/bro/pull/40 [2] knielander https://github.com/knielander [3] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [4] Pull Request #39 https://github.com/bro/bro/pull/39 [5] balintm https://github.com/balintm [6] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master From noreply at bro.org Sat Aug 15 00:00:18 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 15 Aug 2015 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508150700.t7F70IZa003480@bro-ids.icir.org> Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ------------- ------------- ---------- ---------------------------------------------- 8531d13 [1] trace-summary Daniel Thayer 2015-08-14 Fix typo in a TEST_DIFF_CANONIFIER script name Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- ------------------------------------- #40 [2] bro knielander [3] 2015-08-14 Enable linux fanout mode with Bro [4] #39 [5] bro balintm [6] 2015-08-13 Teredo dpd signature extended [7] [1] 8531d13 https://github.com/bro/trace-summary/commit/8531d13809df4c5251a1a08f960512e3aecd4e17 [2] Pull Request #40 https://github.com/bro/bro/pull/40 [3] knielander https://github.com/knielander [4] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [5] Pull Request #39 https://github.com/bro/bro/pull/39 [6] balintm https://github.com/balintm [7] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master From jira at bro-tracker.atlassian.net Sat Aug 15 12:42:00 2015 From: jira at bro-tracker.atlassian.net (Mathias Fischer (JIRA)) Date: Sat, 15 Aug 2015 14:42:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1454) Merge request for topic/mfischer/broker-bugfixes In-Reply-To: References: Message-ID: Mathias Fischer created BIT-1454: ------------------------------------ Summary: Merge request for topic/mfischer/broker-bugfixes Key: BIT-1454 URL: https://bro-tracker.atlassian.net/browse/BIT-1454 Project: Bro Issue Tracker Issue Type: Patch Components: Broker Affects Versions: git/master Reporter: Mathias Fischer Fixes the issue that Broker does not unpeer/disconnect from other endpoints. Problem was a comparison in between two pointers instead of comparing their dereferenced values in broker/src/peering.cc -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Sun Aug 16 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 16 Aug 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508160700.t7G70MQx029734@bro-ids.icir.org> Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ------------- ------------- ---------- ---------------------------------------------------------- f3fb2b2 [1] bro Daniel Thayer 2015-08-15 Fix diff-canonifier-external to use basename of input file 8531d13 [2] trace-summary Daniel Thayer 2015-08-14 Fix typo in a TEST_DIFF_CANONIFIER script name Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- ------------------------------------- #40 [3] bro knielander [4] 2015-08-14 Enable linux fanout mode with Bro [5] #39 [6] bro balintm [7] 2015-08-13 Teredo dpd signature extended [8] [1] f3fb2b2 https://github.com/bro/bro/commit/f3fb2b2f527de34b2b888122f6a24af126e4edd4 [2] 8531d13 https://github.com/bro/trace-summary/commit/8531d13809df4c5251a1a08f960512e3aecd4e17 [3] Pull Request #40 https://github.com/bro/bro/pull/40 [4] knielander https://github.com/knielander [5] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [6] Pull Request #39 https://github.com/bro/bro/pull/39 [7] balintm https://github.com/balintm [8] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master From jira at bro-tracker.atlassian.net Sun Aug 16 21:05:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Sun, 16 Aug 2015 23:05:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1455) topic/dnthayer/py3-compat In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1455: ---------------------------------- Summary: topic/dnthayer/py3-compat Key: BIT-1455 URL: https://bro-tracker.atlassian.net/browse/BIT-1455 Project: Bro Issue Tracker Issue Type: Problem Components: BTest Reporter: Daniel Thayer Fix For: 2.5 The branch topic/dnthayer/py3-compat in the btest repo contains the following changes: 1) update btest to work on Python 3 (still works with Python 2.6 and 2.7) 2) fixed two bugs in btest-diff that could result in a failing test that appears to succeed 3) add more test cases 4) fix measure-time test to not be skipped on some systems that have all prereqs 5) fixed a test that set TEST_DIFF_CANONIFIER to wrong path 6) improvements to the README -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Sun Aug 16 21:12:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Sun, 16 Aug 2015 23:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1455) topic/dnthayer/py3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1455: ------------------------------- Status: Merge Request (was: Open) > topic/dnthayer/py3-compat > ------------------------- > > Key: BIT-1455 > URL: https://bro-tracker.atlassian.net/browse/BIT-1455 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Fix For: 2.5 > > > The branch topic/dnthayer/py3-compat in the btest repo contains the > following changes: > 1) update btest to work on Python 3 (still works with Python 2.6 and 2.7) > 2) fixed two bugs in btest-diff that could result in a failing test that appears to succeed > 3) add more test cases > 4) fix measure-time test to not be skipped on some systems that have all prereqs > 5) fixed a test that set TEST_DIFF_CANONIFIER to wrong path > 6) improvements to the README -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Mon Aug 17 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 17 Aug 2015 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508170700.t7H70KrJ021271@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ----------------------------- BIT-1455 [1] BTest Daniel Thayer - 2015-08-16 2.5 Normal topic/dnthayer/py3-compat [2] Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ------------- ------------- ---------- ---------------------------------------------------------- f3fb2b2 [3] bro Daniel Thayer 2015-08-15 Fix diff-canonifier-external to use basename of input file 8531d13 [4] trace-summary Daniel Thayer 2015-08-14 Fix typo in a TEST_DIFF_CANONIFIER script name Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- ------------------------------------- #40 [5] bro knielander [6] 2015-08-14 Enable linux fanout mode with Bro [7] #39 [8] bro balintm [9] 2015-08-13 Teredo dpd signature extended [10] [1] BIT-1455 https://bro-tracker.atlassian.net/browse/BIT-1455 [2] py3-compat https://github.com/bro/btest/tree/topic/dnthayer/py3-compat [3] f3fb2b2 https://github.com/bro/bro/commit/f3fb2b2f527de34b2b888122f6a24af126e4edd4 [4] 8531d13 https://github.com/bro/trace-summary/commit/8531d13809df4c5251a1a08f960512e3aecd4e17 [5] Pull Request #40 https://github.com/bro/bro/pull/40 [6] knielander https://github.com/knielander [7] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [8] Pull Request #39 https://github.com/bro/bro/pull/39 [9] balintm https://github.com/balintm [10] Merge Pull Request #39 with git pull --no-ff --no-commit https://github.com/balintm/bro.git master From jira at bro-tracker.atlassian.net Mon Aug 17 07:43:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 17 Aug 2015 09:43:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1454) Merge request for topic/mfischer/broker-bugfixes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1454?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1454: --------------------------- Status: Merge Request (was: Open) > Merge request for topic/mfischer/broker-bugfixes > ------------------------------------------------ > > Key: BIT-1454 > URL: https://bro-tracker.atlassian.net/browse/BIT-1454 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Broker > Affects Versions: git/master > Reporter: Mathias Fischer > > Fixes the issue that Broker does not unpeer/disconnect from other endpoints. Problem was a comparison in between two pointers instead of comparing their dereferenced values in broker/src/peering.cc -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From noreply at bro.org Tue Aug 18 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 18 Aug 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508180700.t7I70LBx024464@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ---------- ---------- ------------- ---------- ------------------------------------------------ BIT-1455 [1] BTest Daniel Thayer - 2015-08-16 2.5 Normal topic/dnthayer/py3-compat [2] BIT-1454 [3] Broker Mathias Fischer - 2015-08-17 - Normal Merge request for topic/mfischer/broker-bugfixes Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ------------- ------------- ---------- ---------------------------------------------------------- f3fb2b2 [4] bro Daniel Thayer 2015-08-15 Fix diff-canonifier-external to use basename of input file 8531d13 [5] trace-summary Daniel Thayer 2015-08-14 Fix typo in a TEST_DIFF_CANONIFIER script name Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- ------------------------------------- #40 [6] bro knielander [7] 2015-08-17 Enable linux fanout mode with Bro [8] [1] BIT-1455 https://bro-tracker.atlassian.net/browse/BIT-1455 [2] py3-compat https://github.com/bro/btest/tree/topic/dnthayer/py3-compat [3] BIT-1454 https://bro-tracker.atlassian.net/browse/BIT-1454 [4] f3fb2b2 https://github.com/bro/bro/commit/f3fb2b2f527de34b2b888122f6a24af126e4edd4 [5] 8531d13 https://github.com/bro/trace-summary/commit/8531d13809df4c5251a1a08f960512e3aecd4e17 [6] Pull Request #40 https://github.com/bro/bro/pull/40 [7] knielander https://github.com/knielander [8] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master From jira at bro-tracker.atlassian.net Tue Aug 18 07:39:00 2015 From: jira at bro-tracker.atlassian.net (Jeff Barber (JIRA)) Date: Tue, 18 Aug 2015 09:39:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1456) BRO plugin install should honor DESTDIR= convention In-Reply-To: References: Message-ID: Jeff Barber created BIT-1456: -------------------------------- Summary: BRO plugin install should honor DESTDIR= convention Key: BIT-1456 URL: https://bro-tracker.atlassian.net/browse/BIT-1456 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Reporter: Jeff Barber Attachments: 0001-Make-plugin-install-honor-DESTDIR-convention.patch When you install a plugin using the standard BRO plugin build, it doesn't honor the DESTDIR= convention. Easy one-line fix attached. This patch is for the cmake repo (git://git.bro.org/cmake) -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Tue Aug 18 07:44:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 18 Aug 2015 09:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1456) BRO plugin install should honor DESTDIR= convention In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1456: ------------------------------ Fix Version/s: 2.5 > BRO plugin install should honor DESTDIR= convention > --------------------------------------------------- > > Key: BIT-1456 > URL: https://bro-tracker.atlassian.net/browse/BIT-1456 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: Jeff Barber > Fix For: 2.5 > > Attachments: 0001-Make-plugin-install-honor-DESTDIR-convention.patch > > > When you install a plugin using the standard BRO plugin build, it doesn't honor the DESTDIR= convention. Easy one-line fix attached. > This patch is for the cmake repo (git://git.bro.org/cmake) -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Tue Aug 18 07:44:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 18 Aug 2015 09:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1456) BRO plugin install should honor DESTDIR= convention In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1456: --------------------------------- Assignee: Robin Sommer > BRO plugin install should honor DESTDIR= convention > --------------------------------------------------- > > Key: BIT-1456 > URL: https://bro-tracker.atlassian.net/browse/BIT-1456 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: Jeff Barber > Assignee: Robin Sommer > Fix For: 2.5 > > Attachments: 0001-Make-plugin-install-honor-DESTDIR-convention.patch > > > When you install a plugin using the standard BRO plugin build, it doesn't honor the DESTDIR= convention. Easy one-line fix attached. > This patch is for the cmake repo (git://git.bro.org/cmake) -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Tue Aug 18 10:55:00 2015 From: jira at bro-tracker.atlassian.net (Mike Freemon (JIRA)) Date: Tue, 18 Aug 2015 12:55:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: References: Message-ID: Mike Freemon created BIT-1457: --------------------------------- Summary: [PATCH] add support for MIME type video/MP2T Key: BIT-1457 URL: https://bro-tracker.atlassian.net/browse/BIT-1457 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Reporter: Mike Freemon Attachments: bro-git-patch-suppport-mime-type-video-MP2T.patch This is a merge request that adds support for MIME type video/MP2T -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Tue Aug 18 21:19:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Tue, 18 Aug 2015 23:19:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP In-Reply-To: References: Message-ID: Michal Purzynski created BIT-1458: ------------------------------------- Summary: Lots of binpac exceptions in SIP Key: BIT-1458 URL: https://bro-tracker.atlassian.net/browse/BIT-1458 Project: Bro Issue Tracker Issue Type: Problem Components: BinPAC Affects Versions: 2.4 Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption Reporter: Michal Purzynski There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think). 1439957552.911869 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 udp SIP Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" What kind of data do you want me to attach, to help debugging the issue? -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Tue Aug 18 21:21:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Tue, 18 Aug 2015 23:21:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21700#comment-21700 ] Michal Purzynski commented on BIT-1458: --------------------------------------- 1439957552.911479 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 0 INVITE sip:972597843739 at 63.245.221.35 - 1999 972597843739 1999 972597843739;tag=as48ce1fbf - cf292d314f99f06d120345b1305ed920 1 INVITE - SIP/2.0/UDP 23.92.80.45:5089,SIP/2.0/UDP 23.92.80.45:5089 SIP/2.0/UDP 23.92.80.45:5089 sipcli/v1.8 401 Unauthorized -278 0 - Looks like a scan > Lots of binpac exceptions in SIP > -------------------------------- > > Key: BIT-1458 > URL: https://bro-tracker.atlassian.net/browse/BIT-1458 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption > Reporter: Michal Purzynski > > There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think). > 1439957552.911869 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 udp SIP Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" > What kind of data do you want me to attach, to help debugging the issue? -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Tue Aug 18 21:59:00 2015 From: jira at bro-tracker.atlassian.net (Gary Faulkner (JIRA)) Date: Tue, 18 Aug 2015 23:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21701#comment-21701 ] Gary Faulkner commented on BIT-1458: ------------------------------------ Also seeing the problem (originally reported by a user on the SO mailing list): Here is an example dpd.log entry with the corresponding sip.log entry. For some reason I have 2 binpac errors for the same UID: dpd.log (2): 1439948399.686688 Caw7aCOdBBH3URbN2 85.93.88.110 5072 10.10.142.119 5060 udp SIP Binpac exception: binpac exception: string mismatch at /nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 110906697 562075942 IN IP4 85.93.88.110\x0d\x0as=sipcli\x0d\x0ac=IN IP4 85.93.88.110\x0d\x0at=0 0\x0d\x0am=audio 5074 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" 1439948399.698850 Caw7aCOdBBH3URbN2 85.93.88.110 5072 10.10.142.119 5060 udp SIP Binpac exception: binpac exception: string mismatch at /nsm/bro/git/bro2.4-10/bro/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 110906697 562075942 IN IP4 85.93.88.110\x0d\x0as=sipcli\x0d\x0ac=IN IP4 85.93.88.110\x0d\x0at=0 0\x0d\x0am=audio 5074 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" sip.log: 1439948399.686688 Caw7aCOdBBH3URbN2 85.93.88.110 5072 10.10.142.119 5060 0 INVITE sip:9011441224928088 at 10.10.142.119 - 1003 9011441224928088 1003 9011441224928088;tag=d4ff6c9dcee8f11ai0 - b2a424f8e92e14efb90fd1a9630095d3 1 INVITE SIP/2.0/UDP 85.93.88.110:5072,SIP/2.0/UDP 85.93.88.110:5072 SIP/2.0/UDP 85.93.88.110:5072 sipcli/v1.8 404 Not Found - 279 0 - > Lots of binpac exceptions in SIP > -------------------------------- > > Key: BIT-1458 > URL: https://bro-tracker.atlassian.net/browse/BIT-1458 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption > Reporter: Michal Purzynski > > There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think). > 1439957552.911869 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 udp SIP Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" > What kind of data do you want me to attach, to help debugging the issue? -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Tue Aug 18 22:24:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Wed, 19 Aug 2015 00:24:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21702#comment-21702 ] Michal Purzynski commented on BIT-1458: --------------------------------------- I recognize the source IP and the sipcli v1.8 user agent, as one that belongs to some scanning botnet. > Lots of binpac exceptions in SIP > -------------------------------- > > Key: BIT-1458 > URL: https://bro-tracker.atlassian.net/browse/BIT-1458 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption > Reporter: Michal Purzynski > > There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think). > 1439957552.911869 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 udp SIP Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" > What kind of data do you want me to attach, to help debugging the issue? -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Tue Aug 18 23:48:02 2015 From: jira at bro-tracker.atlassian.net (Alexander Zatserkovnyy (JIRA)) Date: Wed, 19 Aug 2015 01:48:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1459) bro segfaults at analyzer::mime::MIME_Entity::ParseFieldParameters In-Reply-To: References: Message-ID: Alexander Zatserkovnyy created BIT-1459: ------------------------------------------- Summary: bro segfaults at analyzer::mime::MIME_Entity::ParseFieldParameters Key: BIT-1459 URL: https://bro-tracker.atlassian.net/browse/BIT-1459 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Environment: 2xXeon E5540, 64GB RAM, Linux 3.18.11, PF_RING 6.0.3 ZC (zbalance_ipc), bro cluster Reporter: Alexander Zatserkovnyy bro worker segfaults occurred from time to time after upgrade to bro 2.4-78 . Looks like the problem rise in analyzer::mime::MIME_Entity::ParseFieldParameters (/usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126). A couple of core listings follows: Core was generated by `/usr/local/bin/bro -i zc:99 at 2 -U .status -p broctl -p broctl-live -p local -p w'. Program terminated with signal SIGSEGV, Segmentation fault. #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x8aae540, len=16, len at entry=27, data=0x2447faec "(UploadBoundary)", data at entry=0x2447fae1 "; boundary=(UploadBoundary)") at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 126 static data_chunk_t get_data_chunk(BroString* s) (gdb) backtrace #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x8aae540, len=16, len at entry=27, data=0x2447faec "(UploadBoundary)", data at entry=0x2447fae1 "; boundary=(UploadBoundary)") at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 #1 0x0000000000769f7c in analyzer::mime::MIME_Entity::ParseContentTypeField (this=this at entry=0x8aae540, h=h at entry=0x521ddc0) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:799 #2 0x000000000076a1d1 in analyzer::mime::MIME_Entity::ParseMIMEHeader (this=this at entry=0x8aae540, h=h at entry=0x521ddc0) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:763 #3 0x000000000076b638 in analyzer::mime::MIME_Entity::FinishHeader (this=this at entry=0x8aae540) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:735 #4 0x000000000076b821 in analyzer::mime::MIME_Entity::NewHeader (this=0x8aae540, len=13, data=0x1704a3c0 "Host: fegi.ru") at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:699 #5 0x0000000000721490 in analyzer::http::HTTP_Analyzer::DeliverStream (this=0xbd9f080, len=13, data=0x1704a3c0 "Host: fegi.ru", is_orig=) at /usr/src/other/bro/src/analyzer/protocol/http/HTTP.cc:1038 #6 0x00000000007f0ded in analyzer::tcp::ContentLine_Analyzer::DoDeliverOnce (this=this at entry=0x14fbe090, len=, len at entry=84, data=, data at entry=0xcd56528 "Host: fegi.ru\r\nContent-Length: 185\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n\r\n") at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:258 #7 0x00000000007f0fbb in analyzer::tcp::ContentLine_Analyzer::DoDeliver (this=0x14fbe090, len=84, data=0xcd56528 "Host: fegi.ru\r\nContent-Length: 185\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n\r\n") at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:200 #8 0x00000000007f07b0 in analyzer::tcp::ContentLine_Analyzer::DeliverStream (this=0x14fbe090, len=, data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:108 #9 0x0000000000861216 in analyzer::Analyzer::NextStream (this=0x14fbe090, len=444, data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:245 #10 0x00000000008619a6 in analyzer::Analyzer::ForwardStream (this=0x14ea0000, len=444, data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:331 #11 0x00000000007efb49 in analyzer::tcp::TCP_Reassembler::DeliverBlock (this=this at entry=0xc6d7800, seq=seq at entry=1, len=len at entry=444, data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"...) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:650 #12 0x00000000007efe79 in analyzer::tcp::TCP_Reassembler::BlockInserted (this=0xc6d7800, start_block=) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:396 #13 0x00000000007ef9cc in analyzer::tcp::TCP_Reassembler::DataSent (this=0xc6d7800, t=, seq=, len=, len at entry=444, data=, data at entry=0x7f5b768985b6 , replaying=replaying at entry=true) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:495 #14 0x00000000007ee341 in analyzer::tcp::TCP_Endpoint::DataSent (this=this at entry=0x710d620, t=, seq=seq at entry=1, len=444, caplen=444, data=0x7f5b768985b6 , ip=ip at entry=0x7ffcb14c4f90, tp=tp at entry=0x7f5b768985a2) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Endpoint.cc:207 #15 0x00000000007eba12 in DeliverData (flags=..., is_orig=, rel_data_seq=1, endpoint=0x710d620, tp=0x7f5b768985a2, ip=0x7ffcb14c4f90, caplen=, len=, data=, t=, this=0x14ea0000) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:982 #16 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0x14ea0000, len=444, data=0x7f5b768985b6 , is_orig=, seq=, ip=0x7ffcb14c4f90, caplen=444) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:1382 #17 0x00000000008610c2 in analyzer::Analyzer::NextPacket (this=0x14ea0000, len=464, data=0x7f5b768985a2 , is_orig=, seq=18446744073709551615, ip=0x7ffcb14c4f90, caplen=464) at /usr/src/other/bro/src/analyzer/Analyzer.cc:222 #18 0x000000000056979d in Connection::NextPacket (this=this at entry=0x1d1b6540, t=t at entry=1439902857.1053071, is_orig=is_orig at entry=1, ip=ip at entry=0x7ffcb14c4f90, len=len at entry=464, caplen=caplen at entry=464, data=@0x7ffcb14c4e08: 0x7f5b768985a2 , record_packet=, record_content=, pkt=, pkt at entry=0x2821530) at /usr/src/other/bro/src/Conn.cc:260 #19 0x00000000006038a0 in NetSessions::DoNextPacket (this=this at entry=0x2d603c0, t=t at entry=1439902857.1053071, pkt=pkt at entry=0x2821530, ip_hdr=ip_hdr at entry=0x7ffcb14c4f90, encapsulation=encapsulation at entry=0x0) at /usr/src/other/bro/src/Sessions.cc:735 #20 0x0000000000604824 in NetSessions::NextPacket (this=0x2d603c0, t=t at entry=1439902857.1053071, pkt=pkt at entry=0x2821530) at /usr/src/other/bro/src/Sessions.cc:207 #21 0x00000000005d456f in net_packet_dispatch (t=1439902857.1053071, pkt=pkt at entry=0x2821530, src_ps=src_ps at entry=0x2821500) at /usr/src/other/bro/src/Net.cc:273 #22 0x0000000000834539 in iosource::PktSrc::Process (this=0x2821500) at /usr/src/other/bro/src/iosource/PktSrc.cc:265 #23 0x00000000005d4a0f in net_run () at /usr/src/other/bro/src/Net.cc:321 #24 0x00000000005346dc in main (argc=, argv=) at /usr/src/other/bro/src/main.cc:1191 --------------------------------------------------------------------------------------------------------------------- #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x16141d40, len=0, len at entry=11, data=0x1c0d0e9c "", data at entry=0x1c0d0e91 "; boundary=") at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 #1 0x0000000000769f7c in analyzer::mime::MIME_Entity::ParseContentTypeField (this=this at entry=0x16141d40, h=h at entry=0x1a46c740) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:799 #2 0x000000000076a1d1 in analyzer::mime::MIME_Entity::ParseMIMEHeader (this=this at entry=0x16141d40, h=h at entry=0x1a46c740) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:763 #3 0x000000000076b638 in analyzer::mime::MIME_Entity::FinishHeader (this=this at entry=0x16141d40) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:735 #4 0x000000000076b821 in analyzer::mime::MIME_Entity::NewHeader (this=0x16141d40, len=175, data=0xd0dee00 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36") at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:699 #5 0x0000000000721490 in analyzer::http::HTTP_Analyzer::DeliverStream (this=0xe7c4080, len=175, data=0xd0dee00 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36", is_orig=) at /usr/src/other/bro/src/analyzer/protocol/http/HTTP.cc:1038 #6 0x00000000007f0ded in analyzer::tcp::ContentLine_Analyzer::DoDeliverOnce (this=this at entry=0xe806450, len=, len at entry=265, data=, data at entry=0x21c2647 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36\r\nAccept-Encoding: gzip, "...) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:258 #7 0x00000000007f0fbb in analyzer::tcp::ContentLine_Analyzer::DoDeliver (this=0xe806450, len=265, data=0x21c2647 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36\r\nAccept-Encoding: gzip, "...) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:200 #8 0x00000000007f07b0 in analyzer::tcp::ContentLine_Analyzer::DeliverStream (this=0xe806450, len=, data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:108 #9 0x0000000000861216 in analyzer::Analyzer::NextStream (this=0xe806450, len=464, data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:245 #10 0x00000000008619a6 in analyzer::Analyzer::ForwardStream (this=0xb172f20, len=464, data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:331 #11 0x00000000007efb49 in analyzer::tcp::TCP_Reassembler::DeliverBlock (this=this at entry=0x167805a0, seq=seq at entry=1, len=len at entry=464, data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"...) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:650 #12 0x00000000007efe79 in analyzer::tcp::TCP_Reassembler::BlockInserted (this=0x167805a0, start_block=) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:396 #13 0x00000000007ef9cc in analyzer::tcp::TCP_Reassembler::DataSent (this=0x167805a0, t=, seq=, len=, len at entry=464, data=, data at entry=0x7f9c1b006442 , replaying=replaying at entry=true) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:495 #14 0x00000000007ee341 in analyzer::tcp::TCP_Endpoint::DataSent (this=this at entry=0x4bb1fb0, t=, seq=seq at entry=1, len=464, caplen=464, data=0x7f9c1b006442 , ip=ip at entry=0x7fff4034c130, tp=tp at entry=0x7f9c1b006422) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Endpoint.cc:207 #15 0x00000000007eba12 in DeliverData (flags=..., is_orig=, rel_data_seq=1, endpoint=0x4bb1fb0, tp=0x7f9c1b006422, ip=0x7fff4034c130, caplen=, len=, data=, t=, this=0xb172f20) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:982 #16 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0xb172f20, len=464, data=0x7f9c1b006442 , is_orig=, seq=, ip=0x7fff4034c130, caplen=464) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:1382 #17 0x00000000008610c2 in analyzer::Analyzer::NextPacket (this=0xb172f20, len=496, data=0x7f9c1b006422 , is_orig=, seq=18446744073709551615, ip=0x7fff4034c130, caplen=496) at /usr/src/other/bro/src/analyzer/Analyzer.cc:222 #18 0x000000000056979d in Connection::NextPacket (this=this at entry=0x11e52f40, t=t at entry=1439788398.623282, is_orig=is_orig at entry=1, ip=ip at entry=0x7fff4034c130, len=len at entry=496, caplen=caplen at entry=496, data=@0x7fff4034bfa8: 0x7f9c1b006422 , record_packet=, record_content=, pkt=, pkt at entry=0x251a870) at /usr/src/other/bro/src/Conn.cc:260 #19 0x00000000006038a0 in NetSessions::DoNextPacket (this=this at entry=0x2a583c0, t=t at entry=1439788398.623282, pkt=pkt at entry=0x251a870, ip_hdr=ip_hdr at entry=0x7fff4034c130, encapsulation=encapsulation at entry=0x0) at /usr/src/other/bro/src/Sessions.cc:735 #20 0x0000000000604824 in NetSessions::NextPacket (this=0x2a583c0, t=t at entry=1439788398.623282, pkt=pkt at entry=0x251a870) at /usr/src/other/bro/src/Sessions.cc:207 #21 0x00000000005d456f in net_packet_dispatch (t=1439788398.623282, pkt=pkt at entry=0x251a870, src_ps=src_ps at entry=0x251a840) at /usr/src/other/bro/src/Net.cc:273 #22 0x0000000000834539 in iosource::PktSrc::Process (this=0x251a840) at /usr/src/other/bro/src/iosource/PktSrc.cc:265 #23 0x00000000005d4a0f in net_run () at /usr/src/other/bro/src/Net.cc:321 #24 0x00000000005346dc in main (argc=, argv=) at /usr/src/other/bro/src/main.cc:1191 -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From noreply at bro.org Wed Aug 19 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 19 Aug 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508190700.t7J70MCK010730@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ---------- ---------- ------------- ---------- ------------------------------------------------ BIT-1455 [1] BTest Daniel Thayer - 2015-08-16 2.5 Normal topic/dnthayer/py3-compat [2] BIT-1454 [3] Broker Mathias Fischer - 2015-08-17 - Normal Merge request for topic/mfischer/broker-bugfixes Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ------------- ------------- ---------- ---------------------------------------------------------- f3fb2b2 [4] bro Daniel Thayer 2015-08-15 Fix diff-canonifier-external to use basename of input file 32a793f [5] bro-plugins Daniel Thayer 2015-08-18 Fix minor typo in README 6fb3dfe [6] bro-plugins Daniel Thayer 2015-08-18 Fix doc build warnings for Redis and PF_RING 8531d13 [7] trace-summary Daniel Thayer 2015-08-14 Fix typo in a TEST_DIFF_CANONIFIER script name Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- -------------------------------------- #40 [8] bro knielander [9] 2015-08-18 Enable linux fanout mode with Bro [10] [1] BIT-1455 https://bro-tracker.atlassian.net/browse/BIT-1455 [2] py3-compat https://github.com/bro/btest/tree/topic/dnthayer/py3-compat [3] BIT-1454 https://bro-tracker.atlassian.net/browse/BIT-1454 [4] f3fb2b2 https://github.com/bro/bro/commit/f3fb2b2f527de34b2b888122f6a24af126e4edd4 [5] 32a793f https://github.com/bro/bro-plugins/commit/32a793ff1828a3b43fab479f5eefbe6fd0e0a649 [6] 6fb3dfe https://github.com/bro/bro-plugins/commit/6fb3dfeb248cd790f20e843e3eb2f4d7545d68ff [7] 8531d13 https://github.com/bro/trace-summary/commit/8531d13809df4c5251a1a08f960512e3aecd4e17 [8] Pull Request #40 https://github.com/bro/bro/pull/40 [9] knielander https://github.com/knielander [10] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master From jira at bro-tracker.atlassian.net Wed Aug 19 06:23:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 19 Aug 2015 08:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21703#comment-21703 ] Seth Hall commented on BIT-1458: -------------------------------- The most useful thing at this point would be if someone could provide some packets that exhibit this problem. > Lots of binpac exceptions in SIP > -------------------------------- > > Key: BIT-1458 > URL: https://bro-tracker.atlassian.net/browse/BIT-1458 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption > Reporter: Michal Purzynski > > There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think). > 1439957552.911869 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 udp SIP Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" > What kind of data do you want me to attach, to help debugging the issue? -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Wed Aug 19 08:43:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 19 Aug 2015 10:43:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1457?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1457: ------------------------------ Status: Merge Request (was: Open) > [PATCH] add support for MIME type video/MP2T > -------------------------------------------- > > Key: BIT-1457 > URL: https://bro-tracker.atlassian.net/browse/BIT-1457 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: Mike Freemon > Attachments: bro-git-patch-suppport-mime-type-video-MP2T.patch > > > This is a merge request that adds support for MIME type video/MP2T -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From vallentin at icir.org Wed Aug 19 08:43:11 2015 From: vallentin at icir.org (Matthias Vallentin) Date: Wed, 19 Aug 2015 08:43:11 -0700 Subject: [Bro-Dev] Pattern matching for the Bro language Message-ID: <20150819154311.GC35754@shogun> TL;DR: function f() : any; local result = ""; switch( f() ) { case addr: if ( x in 10.0.0.0/8 ) result = "got it!"; case string: result = "f() failed: " + x; } I want to propose introducing pattern matching for the Bro language. Pattern matching is a powerful concept particularly available in functional languages, like Haskell, ML, Erlang, Rust, you name it. It enables typesafe dispatching based on the type of a value. Other languages often can go beyond type-based dispatching and also enable "value" dispatch. We *kinda* have this with the when statement in an asynchronous form, which monitors a given expression value, and whenever the operands change, the expression is re-evaluated. But, let's get back to type-based dispatch and "any". The "any" type is really just a bolt-on fix for the lack of a more sophisticated type system. We use (and abuse) it anywhere where we need polymorphism and want to bypass the type system. Today, Bro doesn't have generic programming facilities besides "any". I hope this will change in the future; introducing pattern matching is the first step in this direction. In the future, I believe that in Bro we see more and more asynchronous operations, in particular with the proliferation of Broker. This requires better language support. When users store data remotely and need to wait for answer. The asynchrony often introduces sum types: either the result comes back or an error occurs. The above example is such a sum type: either an addr or a string. If "x" has neither type, Bro would raise an error---at runtime. Here's a another example: function lookup(key: string) : any; when ( local x = lookup("key") ) { local result = ""; switch( x ) { case addr: if ( x in 10.0.0.0/8 ) result = "contained"; case string: result = "error: lookup() failed: " + x; } } When we ask a store for data, the runtime doesn't know the type until it gets a result back. Because there can be multiple return types, "switch" provides a means to extract the value in a type-safe manner. Some languages (Ruby comes to mind) design switch as an expression, which would allow constructs like: local result = switch( x ) { case T: case U: }; Personally, I like this functional treatment, but C-seasoned folks may have a harder time with it. If you have any thoughts on this, please chime in. Matthias From jira at bro-tracker.atlassian.net Wed Aug 19 11:50:01 2015 From: jira at bro-tracker.atlassian.net (Gary Faulkner (JIRA)) Date: Wed, 19 Aug 2015 13:50:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Gary Faulkner updated BIT-1458: ------------------------------- Attachment: badsip-19AUG2015_anon.pcapng > Lots of binpac exceptions in SIP > -------------------------------- > > Key: BIT-1458 > URL: https://bro-tracker.atlassian.net/browse/BIT-1458 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption > Reporter: Michal Purzynski > Attachments: badsip-19AUG2015_anon.pcapng > > > There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think). > 1439957552.911869 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 udp SIP Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" > What kind of data do you want me to attach, to help debugging the issue? -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Wed Aug 19 11:52:00 2015 From: jira at bro-tracker.atlassian.net (Gary Faulkner (JIRA)) Date: Wed, 19 Aug 2015 13:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21704#comment-21704 ] Gary Faulkner commented on BIT-1458: ------------------------------------ PCAP of SIP scanning activity that seems to be triggering these is attached. > Lots of binpac exceptions in SIP > -------------------------------- > > Key: BIT-1458 > URL: https://bro-tracker.atlassian.net/browse/BIT-1458 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption > Reporter: Michal Purzynski > Attachments: badsip-19AUG2015_anon.pcapng > > > There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think). > 1439957552.911869 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 udp SIP Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" > What kind of data do you want me to attach, to help debugging the issue? -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From vern at icir.org Wed Aug 19 12:09:01 2015 From: vern at icir.org (Vern Paxson) Date: Wed, 19 Aug 2015 12:09:01 -0700 Subject: [Bro-Dev] Pattern matching for the Bro language In-Reply-To: <20150819154311.GC35754@shogun> (Wed, 19 Aug 2015 08:43:11 PDT). Message-ID: <20150819190901.5552E2C4103@rock.ICSI.Berkeley.EDU> > I want to propose introducing pattern matching for the Bro language. Per our discussion yesterday, I like this notion in general. (Seems we need a better term for it, though, as "pattern matching" is very generic - plus will confuse some people who'll think it refers to NIDS rules rather than generic type safety!) > Some languages (Ruby comes to mind) design switch as an expression, > which would allow constructs like: > > local result = switch( x ) > { > case T: > case U: > }; Personally, this strike me as a tad weird, since now "result" might not have a statically determined type, so we're back to it being "any". So I'd want to wait on going this far until we have use cases where it clearly would help with code clarity. Vern From vallentin at icir.org Wed Aug 19 13:15:56 2015 From: vallentin at icir.org (Matthias Vallentin) Date: Wed, 19 Aug 2015 13:15:56 -0700 Subject: [Bro-Dev] Pattern matching for the Bro language In-Reply-To: <20150819190901.5552E2C4103@rock.ICSI.Berkeley.EDU> References: <20150819154311.GC35754@shogun> <20150819190901.5552E2C4103@rock.ICSI.Berkeley.EDU> Message-ID: <20150819201556.GD1232@samurai.ICIR.org> > > local result = switch( x ) > > { > > case T: > > case U: > > }; > > Personally, this strike me as a tad weird, since now "result" might not > have a statically determined type, so we're back to it being "any". To avoid falling back to "any land," the additional constraint in this case would be that each case block would have to have a return statement with the same type. The use case I had in mind is returning from a function. function f(x: any) : string { return switch(x) { case T: return "T"; case U: return "U"; } } Though that's simply syntactic sugar for: function f(x: any) : string { local result = ""; switch(x) { case T: result = "T"; case U: result = "U"; } return result; } I'm not feeling very strong about it. Matthias From jira at bro-tracker.atlassian.net Wed Aug 19 15:07:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Wed, 19 Aug 2015 17:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michal Purzynski updated BIT-1458: ---------------------------------- Attachment: sip-scan-detailed.pcap > Lots of binpac exceptions in SIP > -------------------------------- > > Key: BIT-1458 > URL: https://bro-tracker.atlassian.net/browse/BIT-1458 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption > Reporter: Michal Purzynski > Attachments: badsip-19AUG2015_anon.pcapng, sip-scan-detailed.pcap > > > There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think). > 1439957552.911869 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 udp SIP Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" > What kind of data do you want me to attach, to help debugging the issue? -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Wed Aug 19 15:08:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Wed, 19 Aug 2015 17:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21705#comment-21705 ] Michal Purzynski commented on BIT-1458: --------------------------------------- Pcap of an example scan attached > Lots of binpac exceptions in SIP > -------------------------------- > > Key: BIT-1458 > URL: https://bro-tracker.atlassian.net/browse/BIT-1458 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption > Reporter: Michal Purzynski > Attachments: badsip-19AUG2015_anon.pcapng, sip-scan-detailed.pcap > > > There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think). > 1439957552.911869 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 udp SIP Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" > What kind of data do you want me to attach, to help debugging the issue? -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Wed Aug 19 15:52:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Wed, 19 Aug 2015 17:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michal Purzynski updated BIT-1458: ---------------------------------- Attachment: sip3.pcap sip2.pcap > Lots of binpac exceptions in SIP > -------------------------------- > > Key: BIT-1458 > URL: https://bro-tracker.atlassian.net/browse/BIT-1458 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption > Reporter: Michal Purzynski > Attachments: badsip-19AUG2015_anon.pcapng, sip2.pcap, sip3.pcap, sip-scan-detailed.pcap > > > There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think). > 1439957552.911869 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 udp SIP Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" > What kind of data do you want me to attach, to help debugging the issue? -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Wed Aug 19 15:53:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Wed, 19 Aug 2015 17:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21706#comment-21706 ] Michal Purzynski commented on BIT-1458: --------------------------------------- More pcaps attached. > Lots of binpac exceptions in SIP > -------------------------------- > > Key: BIT-1458 > URL: https://bro-tracker.atlassian.net/browse/BIT-1458 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Environment: Linux 3.19, Ubuntu 14.04 LTS, Asterisk for VOIP, plain SIP plus RDP no encryption > Reporter: Michal Purzynski > Attachments: badsip-19AUG2015_anon.pcapng, sip2.pcap, sip3.pcap, sip-scan-detailed.pcap > > > There's quite a bit of binpac exception in dpd.log on office sensors, that can see SIP traffic. The log message is always the same (I think). > 1439957552.911869 ChGboH2ZriUae63ufg 23.92.80.45 5089 10.252.40.4 5060 udp SIP Binpac exception: binpac exception: string mismatch at /home/mpurzynski/src/bro/bro-2.4-pfring/src/analyzer/protocol/sip/sip-protocol.pac:70: \x0aexpected pattern: ":"\x0aactual data: " 496704993 2096249773 IN IP4 23.92.80.45\x0d\x0as=sipcli\x0d\x0ac=IN IP4 23.92.80.45\x0d\x0at=0 0\x0d\x0am=audio 5097 RTP/AVP 18 0 8 101\x0d\x0aa=fmtp:101 0-15\x0d\x0aa=rtpmap:18 G729/8000\x0d\x0aa=rtpmap:0 PCMU/8000\x0d\x0aa=rtpmap:8 PCMA/8000\x0d\x0aa=rtpmap:101 telephone-event/8000\x0d\x0aa=ptime:20\x0d\x0aa=sendrecv\x0d\x0a" > What kind of data do you want me to attach, to help debugging the issue? -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Wed Aug 19 16:00:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Wed, 19 Aug 2015 18:00:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1460) DPD query too large on multicast DNS In-Reply-To: References: Message-ID: Michal Purzynski created BIT-1460: ------------------------------------- Summary: DPD query too large on multicast DNS Key: BIT-1460 URL: https://bro-tracker.atlassian.net/browse/BIT-1460 Project: Bro Issue Tracker Issue Type: Problem Components: BinPAC Affects Versions: 2.4 Reporter: Michal Purzynski Attachments: dnsm.pcap Lots of 1440024833.696698 CZdljELZjJSLLQpxj 10.251.27.165 5353 224.0.0.251 5353 udp DNS DNS_Conn_count_too_large 1440024920.764444 CgVrZf4IQ0Tc04EfQe 10.251.29.250 5353 224.0.0.251 5353 udp DNS DNS_Conn_count_too_large 1440024920.764923 C4oQOB2GRRhDHW1i4g fe80::6676:baff:feb5:772c 5353 ff02::fb 5353 udp DNS DNS_Conn_count_too_large 1440024981.016577 CsCwiq3qk2Uxjhomjj fe80::1c8a:768d:e113:e39f 5353 ff02::fb 5353 udp DNS DNS_Conn_count_too_large 1440024981.015551 CA1nbO23vgbca2PBYi 10.251.28.176 5353 224.0.0.251 5353 udp DNS DNS_Conn_count_too_large 1440025022.962007 C5kYaG3BckRrVOot89 10.251.26.99 5353 224.0.0.251 5353 udp DNS DNS_Conn_count_too_large 1440025022.962049 CrkZft38lJ0YqGqxsl fe80::2acf:e9ff:fe1a:9aed 5353 ff02::fb 5353 udp DNS DNS_Conn_count_too_large for just UDP and port 5353 - multicast DNS Pcaps attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Wed Aug 19 20:36:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Wed, 19 Aug 2015 22:36:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1428) Customizable email subject lines In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21707#comment-21707 ] Michal Purzynski commented on BIT-1428: --------------------------------------- That would be helpful. Having NSM send emails from "Big Brother" might not resonate well with some folks ;-) > Customizable email subject lines > -------------------------------- > > Key: BIT-1428 > URL: https://bro-tracker.atlassian.net/browse/BIT-1428 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Vern Paxson > > There should be a hook of some sort to allow customizing email Subject lines. In particular, I want emails sent for alarm summaries to include the hostname of the Bro that's sending them (since at ICSI we run two concurrent Bros). Looking at *pp_send* in *base/frameworks/notice/actions/pp-alarms.bro* I don't see any way to do this currently. -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Wed Aug 19 23:11:00 2015 From: jira at bro-tracker.atlassian.net (Tim Jackson (JIRA)) Date: Thu, 20 Aug 2015 01:11:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1461) Bro Mgr Scripts Fail After Threat Intel Feed Add In-Reply-To: References: Message-ID: Tim Jackson created BIT-1461: -------------------------------- Summary: Bro Mgr Scripts Fail After Threat Intel Feed Add Key: BIT-1461 URL: https://bro-tracker.atlassian.net/browse/BIT-1461 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.5 Reporter: Tim Jackson Getting the following on check after inclusion of 3rd party threat intel feeds. Unsure of how to continue manager scripts failed. internal error: Value not found in enum mappimg. Module: Intel, var: undefined, var size: 9 /opt/bro/share/broctl/scripts/check-config: line 28: 30661 Aborted (core dumped) ${bro} "$@" proxy scripts are ok. calidcbrosrv001-eth1-1 scripts are ok. calidcbrosrv001-eth1-2 scripts are ok. Thanks Tim -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From noreply at bro.org Thu Aug 20 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 20 Aug 2015 00:00:23 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508200700.t7K70NLF009763@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ---------- ---------- ------------- ---------- ------------------------------------------------ BIT-1457 [1] Bro Mike Freemon - 2015-08-19 - Normal [PATCH] add support for MIME type video/MP2T BIT-1455 [2] BTest Daniel Thayer - 2015-08-16 2.5 Normal topic/dnthayer/py3-compat [3] BIT-1454 [4] Broker Mathias Fischer - 2015-08-17 - Normal Merge request for topic/mfischer/broker-bugfixes Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ------------- ------------- ---------- ---------------------------------------------------------- f3fb2b2 [5] bro Daniel Thayer 2015-08-15 Fix diff-canonifier-external to use basename of input file 32a793f [6] bro-plugins Daniel Thayer 2015-08-18 Fix minor typo in README 6fb3dfe [7] bro-plugins Daniel Thayer 2015-08-18 Fix doc build warnings for Redis and PF_RING 8531d13 [8] trace-summary Daniel Thayer 2015-08-14 Fix typo in a TEST_DIFF_CANONIFIER script name Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- --------------------------------------------------- #43 [9] bro balintm [10] 2015-08-19 Update to SIP protocol [11] #42 [12] bro J-Gras [13] 2015-08-19 Improved logging of Base64 errors [14] #40 [15] bro knielander [16] 2015-08-18 Enable linux fanout mode with Bro [17] #6 [18] bro-plugins jswaro [19] 2015-08-19 Adding initial conversion of TCPRS to a plugin [20] [1] BIT-1457 https://bro-tracker.atlassian.net/browse/BIT-1457 [2] BIT-1455 https://bro-tracker.atlassian.net/browse/BIT-1455 [3] py3-compat https://github.com/bro/btest/tree/topic/dnthayer/py3-compat [4] BIT-1454 https://bro-tracker.atlassian.net/browse/BIT-1454 [5] f3fb2b2 https://github.com/bro/bro/commit/f3fb2b2f527de34b2b888122f6a24af126e4edd4 [6] 32a793f https://github.com/bro/bro-plugins/commit/32a793ff1828a3b43fab479f5eefbe6fd0e0a649 [7] 6fb3dfe https://github.com/bro/bro-plugins/commit/6fb3dfeb248cd790f20e843e3eb2f4d7545d68ff [8] 8531d13 https://github.com/bro/trace-summary/commit/8531d13809df4c5251a1a08f960512e3aecd4e17 [9] Pull Request #43 https://github.com/bro/bro/pull/43 [10] balintm https://github.com/balintm [11] Merge Pull Request #43 with git pull --no-ff --no-commit https://github.com/balintm/bro.git patch-1 [12] Pull Request #42 https://github.com/bro/bro/pull/42 [13] J-Gras https://github.com/J-Gras [14] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [15] Pull Request #40 https://github.com/bro/bro/pull/40 [16] knielander https://github.com/knielander [17] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [18] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [19] jswaro https://github.com/jswaro [20] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From robin at icir.org Thu Aug 20 08:15:31 2015 From: robin at icir.org (Robin Sommer) Date: Thu, 20 Aug 2015 08:15:31 -0700 Subject: [Bro-Dev] Pattern matching for the Bro language In-Reply-To: <20150819154311.GC35754@shogun> References: <20150819154311.GC35754@shogun> Message-ID: <20150820151531.GD40819@icir.org> On Wed, Aug 19, 2015 at 08:43 -0700, you wrote: > switch( f() ) > { > case addr: > if ( x in 10.0.0.0/8 ) > result = "got it!"; > case string: > result = "f() failed: " + x; > } Had discussed this with Matthias before, but for the record: I like it, too. :-) (This form; less the one with return values, at least for now). As one additional note, even with this added, we wouldn't otherwise extend the operations that are allowed on "any" instances. Right now, there's actually not much one can do with them, and it would stay that way to avoid people starting to generally skip the typing system (e.g., one cannot assign an "any" to another "any"; more generally, one cannot pass them around arbitrarily). The "switch" is for using "any" safely in cases where it cannot be avoided (which is primarily bifs with return values that cannot be statically typed). Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From jira at bro-tracker.atlassian.net Thu Aug 20 08:18:02 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Thu, 20 Aug 2015 10:18:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1461) Bro Mgr Scripts Fail After Threat Intel Feed Add In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1461?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21708#comment-21708 ] Vlad Grigorescu commented on BIT-1461: -------------------------------------- {quote}Value not found in enum mappimg{quote} There's a typo in "mapping." Could that be the issue? It's a bit hard to debug without seeing the script(s). > Bro Mgr Scripts Fail After Threat Intel Feed Add > ------------------------------------------------ > > Key: BIT-1461 > URL: https://bro-tracker.atlassian.net/browse/BIT-1461 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.5 > Reporter: Tim Jackson > > Getting the following on check after inclusion of 3rd party threat intel feeds. Unsure of how to continue > manager scripts failed. > internal error: Value not found in enum mappimg. Module: Intel, var: undefined, var size: 9 > /opt/bro/share/broctl/scripts/check-config: line 28: 30661 Aborted (core dumped) ${bro} "$@" > proxy scripts are ok. > calidcbrosrv001-eth1-1 scripts are ok. > calidcbrosrv001-eth1-2 scripts are ok. > Thanks > Tim -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From seth at icir.org Thu Aug 20 09:41:53 2015 From: seth at icir.org (Seth Hall) Date: Thu, 20 Aug 2015 12:41:53 -0400 Subject: [Bro-Dev] Pattern matching for the Bro language In-Reply-To: <20150820151531.GD40819@icir.org> References: <20150819154311.GC35754@shogun> <20150820151531.GD40819@icir.org> Message-ID: <1B4AA2E0-9386-4E32-9C74-4134B8A387CE@icir.org> > On Aug 20, 2015, at 11:15 AM, Robin Sommer wrote: > > Had discussed this with Matthias before, but for the record: I like > it, too. :-) (This form; less the one with return values, at least for > now). I like this proposal a lot too. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jira at bro-tracker.atlassian.net Thu Aug 20 13:56:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 20 Aug 2015 15:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1462) heap overflow in ARP_Analyzer::IsARP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1462: ------------------------------ Attachment: arp_bug.pcap > heap overflow in ARP_Analyzer::IsARP > ------------------------------------ > > Key: BIT-1462 > URL: https://bro-tracker.atlassian.net/browse/BIT-1462 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: arp_bug.pcap > > > {code} > # bro -r arp_bug.pcap > ================================================================= > ==8775==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310008c07fe at pc 0x00000099a56e bp 0x7fffd1826e60 sp 0x7fffd1826e58 > READ of size 2 at 0x6310008c07fe thread T0 > #0 0x99a56d in analyzer::arp::ARP_Analyzer::IsARP(unsigned char const*, int) /scratch/bro-clean/src/analyzer/protocol/arp/ARP.cc:24:2 > #1 0x855781 in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:246:12 > #2 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #3 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #4 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #5 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #6 0x7fc0ba545b44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #7 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Thu Aug 20 13:56:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 20 Aug 2015 15:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1462) heap overflow in ARP_Analyzer::IsARP In-Reply-To: References: Message-ID: Justin Azoff created BIT-1462: --------------------------------- Summary: heap overflow in ARP_Analyzer::IsARP Key: BIT-1462 URL: https://bro-tracker.atlassian.net/browse/BIT-1462 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Justin Azoff {code} # bro -r arp_bug.pcap ================================================================= ==8775==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310008c07fe at pc 0x00000099a56e bp 0x7fffd1826e60 sp 0x7fffd1826e58 READ of size 2 at 0x6310008c07fe thread T0 #0 0x99a56d in analyzer::arp::ARP_Analyzer::IsARP(unsigned char const*, int) /scratch/bro-clean/src/analyzer/protocol/arp/ARP.cc:24:2 #1 0x855781 in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:246:12 #2 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 #3 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 #4 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 #5 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 #6 0x7fc0ba545b44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 #7 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Thu Aug 20 13:58:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 20 Aug 2015 15:58:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1463) heap overflow in PktSrc::Process In-Reply-To: References: Message-ID: Justin Azoff created BIT-1463: --------------------------------- Summary: heap overflow in PktSrc::Process Key: BIT-1463 URL: https://bro-tracker.atlassian.net/browse/BIT-1463 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Justin Azoff Attachments: pktsrc_bug.pcap {code} ==11569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001bcbfc at pc 0x000000da1f1b bp 0x7fff726f3d90 sp 0x7fff726f3d88 READ of size 1 at 0x6020001bcbfc thread T0 #0 0xda1f1a in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:325:3 #1 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 #2 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 #3 0x7f2fd89beb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 #4 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Thu Aug 20 13:59:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 20 Aug 2015 15:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1464) heap overflow in build_syn_packet_val In-Reply-To: References: Message-ID: Justin Azoff created BIT-1464: --------------------------------- Summary: heap overflow in build_syn_packet_val Key: BIT-1464 URL: https://bro-tracker.atlassian.net/browse/BIT-1464 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Justin Azoff Attachments: build_syn_packet_val_bug.pcap {code} # bro -r build_syn_packet_val_bug.pcap ================================================================= ==15198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000e45266 at pc 0x000000cd6731 bp 0x7fff061fe1b0 sp 0x7fff061fe1a8 READ of size 1 at 0x607000e45266 thread T0 #0 0xcd6730 in build_syn_packet_val(int, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:52:3 #1 0xcd6730 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1274 #2 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 #3 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 #4 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 #5 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 #6 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 #7 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 #8 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 #9 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 #10 0x7f204146cb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 #11 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Thu Aug 20 14:00:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 20 Aug 2015 16:00:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1 In-Reply-To: References: Message-ID: Justin Azoff created BIT-1465: --------------------------------- Summary: heap overflow in GetTimeFromAsn1 Key: BIT-1465 URL: https://bro-tracker.atlassian.net/browse/BIT-1465 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Justin Azoff Attachments: gettimefromasn_bug.pcap This pcap requires -C {code} # bro -C -r gettimefromasn_bug.pcap ================================================================= ==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8 READ of size 1 at 0x6020001c0001 thread T0 #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7 #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31 #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27 #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10 #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string, std::allocator > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2 #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3 #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10 #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25 #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19 #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2 #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30 #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31 #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21 #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19 #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20 #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35 #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4 #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4 #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4 #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2 #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4 #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2 #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12 #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9 #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381 #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Thu Aug 20 14:09:00 2015 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Thu, 20 Aug 2015 16:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1454) Merge request for topic/mfischer/broker-bugfixes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1454?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matthias Vallentin reassigned BIT-1454: --------------------------------------- Assignee: Matthias Vallentin > Merge request for topic/mfischer/broker-bugfixes > ------------------------------------------------ > > Key: BIT-1454 > URL: https://bro-tracker.atlassian.net/browse/BIT-1454 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Broker > Affects Versions: git/master > Reporter: Mathias Fischer > Assignee: Matthias Vallentin > > Fixes the issue that Broker does not unpeer/disconnect from other endpoints. Problem was a comparison in between two pointers instead of comparing their dereferenced values in broker/src/peering.cc -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Thu Aug 20 14:55:00 2015 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Thu, 20 Aug 2015 16:55:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1454) Merge request for topic/mfischer/broker-bugfixes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1454?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matthias Vallentin updated BIT-1454: ------------------------------------ Status: Closed (was: Merge Request) Good catch, thanks. > Merge request for topic/mfischer/broker-bugfixes > ------------------------------------------------ > > Key: BIT-1454 > URL: https://bro-tracker.atlassian.net/browse/BIT-1454 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Broker > Affects Versions: git/master > Reporter: Mathias Fischer > Assignee: Matthias Vallentin > > Fixes the issue that Broker does not unpeer/disconnect from other endpoints. Problem was a comparison in between two pointers instead of comparing their dereferenced values in broker/src/peering.cc -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Thu Aug 20 16:05:01 2015 From: jira at bro-tracker.atlassian.net (james.lay (JIRA)) Date: Thu, 20 Aug 2015 18:05:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1466) Need to document Q and I for conn.log In-Reply-To: References: Message-ID: james.lay created BIT-1466: ------------------------------ Summary: Need to document Q and I for conn.log Key: BIT-1466 URL: https://bro-tracker.atlassian.net/browse/BIT-1466 Project: Bro Issue Tracker Issue Type: Improvement Components: Documentation Affects Versions: 2.4 Environment: Web site documentation Reporter: james.lay Priority: Trivial Need to document Q and I in conn.log, per Seth's request -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From noreply at bro.org Fri Aug 21 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 21 Aug 2015 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508210700.t7L70Ku9020166@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- -------------------------------------------- BIT-1457 [1] Bro Mike Freemon - 2015-08-19 - Normal [PATCH] add support for MIME type video/MP2T BIT-1455 [2] BTest Daniel Thayer - 2015-08-16 2.5 Normal topic/dnthayer/py3-compat [3] Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ------------- ------------- ---------- ---------------------------------------------------------- f3fb2b2 [4] bro Daniel Thayer 2015-08-15 Fix diff-canonifier-external to use basename of input file 32a793f [5] bro-plugins Daniel Thayer 2015-08-18 Fix minor typo in README 6fb3dfe [6] bro-plugins Daniel Thayer 2015-08-18 Fix doc build warnings for Redis and PF_RING 8531d13 [7] trace-summary Daniel Thayer 2015-08-14 Fix typo in a TEST_DIFF_CANONIFIER script name Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- --------------------------------------------------- #43 [8] bro balintm [9] 2015-08-19 Update to SIP protocol [10] #42 [11] bro J-Gras [12] 2015-08-19 Improved logging of Base64 errors [13] #40 [14] bro knielander [15] 2015-08-18 Enable linux fanout mode with Bro [16] #6 [17] bro-plugins jswaro [18] 2015-08-19 Adding initial conversion of TCPRS to a plugin [19] [1] BIT-1457 https://bro-tracker.atlassian.net/browse/BIT-1457 [2] BIT-1455 https://bro-tracker.atlassian.net/browse/BIT-1455 [3] py3-compat https://github.com/bro/btest/tree/topic/dnthayer/py3-compat [4] f3fb2b2 https://github.com/bro/bro/commit/f3fb2b2f527de34b2b888122f6a24af126e4edd4 [5] 32a793f https://github.com/bro/bro-plugins/commit/32a793ff1828a3b43fab479f5eefbe6fd0e0a649 [6] 6fb3dfe https://github.com/bro/bro-plugins/commit/6fb3dfeb248cd790f20e843e3eb2f4d7545d68ff [7] 8531d13 https://github.com/bro/trace-summary/commit/8531d13809df4c5251a1a08f960512e3aecd4e17 [8] Pull Request #43 https://github.com/bro/bro/pull/43 [9] balintm https://github.com/balintm [10] Merge Pull Request #43 with git pull --no-ff --no-commit https://github.com/balintm/bro.git patch-1 [11] Pull Request #42 https://github.com/bro/bro/pull/42 [12] J-Gras https://github.com/J-Gras [13] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [14] Pull Request #40 https://github.com/bro/bro/pull/40 [15] knielander https://github.com/knielander [16] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [17] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [18] jswaro https://github.com/jswaro [19] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From jira at bro-tracker.atlassian.net Fri Aug 21 10:27:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 21 Aug 2015 12:27:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21710#comment-21710 ] Johanna Amann commented on BIT-1465: ------------------------------------ Ok, since I am apparently being stupid at the moment... how did you get stuff to compile with AddressSanitizer? Just trying CFLAGS/CPPFLAGS/LDFLAGS=-fsanitize=address already breaks and complains about problems during building. Johanna > heap overflow in GetTimeFromAsn1 > -------------------------------- > > Key: BIT-1465 > URL: https://bro-tracker.atlassian.net/browse/BIT-1465 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: gettimefromasn_bug.pcap > > > This pcap requires -C > {code} > # bro -C -r gettimefromasn_bug.pcap > ================================================================= > ==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8 > READ of size 1 at 0x6020001c0001 thread T0 > #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7 > #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31 > #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27 > #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10 > #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string, std::allocator > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2 > #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3 > #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10 > #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25 > #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19 > #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2 > #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30 > #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31 > #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21 > #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19 > #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20 > #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35 > #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4 > #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4 > #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4 > #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2 > #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4 > #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2 > #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12 > #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9 > #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381 > #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 11:01:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 21 Aug 2015 13:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21711#comment-21711 ] Johanna Amann commented on BIT-1465: ------------------------------------ Also - a very preliminary look at this makes it seem that this is (probably) only an out-of-bound array access by the code in question which should not be exploitable in any way (except perhaps crashing Bro in unlikely cases). Johanna > heap overflow in GetTimeFromAsn1 > -------------------------------- > > Key: BIT-1465 > URL: https://bro-tracker.atlassian.net/browse/BIT-1465 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: gettimefromasn_bug.pcap > > > This pcap requires -C > {code} > # bro -C -r gettimefromasn_bug.pcap > ================================================================= > ==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8 > READ of size 1 at 0x6020001c0001 thread T0 > #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7 > #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31 > #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27 > #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10 > #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string, std::allocator > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2 > #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3 > #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10 > #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25 > #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19 > #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2 > #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30 > #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31 > #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21 > #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19 > #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20 > #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35 > #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4 > #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4 > #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4 > #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2 > #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4 > #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2 > #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12 > #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9 > #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381 > #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 17:20:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 21 Aug 2015 19:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1455) topic/dnthayer/py3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1455: ------------------------------ Attachment: diag.log > topic/dnthayer/py3-compat > ------------------------- > > Key: BIT-1455 > URL: https://bro-tracker.atlassian.net/browse/BIT-1455 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Fix For: 2.5 > > Attachments: diag.log > > > The branch topic/dnthayer/py3-compat in the btest repo contains the > following changes: > 1) update btest to work on Python 3 (still works with Python 2.6 and 2.7) > 2) fixed two bugs in btest-diff that could result in a failing test that appears to succeed > 3) add more test cases > 4) fix measure-time test to not be skipped on some systems that have all prereqs > 5) fixed a test that set TEST_DIFF_CANONIFIER to wrong path > 6) improvements to the README -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 17:20:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 21 Aug 2015 19:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1455) topic/dnthayer/py3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1455: ------------------------------ Status: Open (was: Merge Request) > topic/dnthayer/py3-compat > ------------------------- > > Key: BIT-1455 > URL: https://bro-tracker.atlassian.net/browse/BIT-1455 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Fix For: 2.5 > > Attachments: diag.log > > > The branch topic/dnthayer/py3-compat in the btest repo contains the > following changes: > 1) update btest to work on Python 3 (still works with Python 2.6 and 2.7) > 2) fixed two bugs in btest-diff that could result in a failing test that appears to succeed > 3) add more test cases > 4) fix measure-time test to not be skipped on some systems that have all prereqs > 5) fixed a test that set TEST_DIFF_CANONIFIER to wrong path > 6) improvements to the README -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 17:20:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 21 Aug 2015 19:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1455) topic/dnthayer/py3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21712#comment-21712 ] Robin Sommer commented on BIT-1455: ----------------------------------- I'm seeing two problems with these changes: - I'm getting one test case failure with the btest test suite with `tests/measure-time-options.test`. It looks like that when the awk command below executes, it doesn't receive any of the arguments actually and then just aborts with a usage message. {noformat} @TEST-MEASURE-TIME @TEST-EXEC: awk 'BEGIN { for ( i = 1; i < 100000; i++ ) x += i; print x; }; done' topic/dnthayer/py3-compat > ------------------------- > > Key: BIT-1455 > URL: https://bro-tracker.atlassian.net/browse/BIT-1455 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Fix For: 2.5 > > Attachments: diag.log > > > The branch topic/dnthayer/py3-compat in the btest repo contains the > following changes: > 1) update btest to work on Python 3 (still works with Python 2.6 and 2.7) > 2) fixed two bugs in btest-diff that could result in a failing test that appears to succeed > 3) add more test cases > 4) fix measure-time test to not be skipped on some systems that have all prereqs > 5) fixed a test that set TEST_DIFF_CANONIFIER to wrong path > 6) improvements to the README -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 17:21:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 21 Aug 2015 19:21:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1455) topic/dnthayer/py3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1455: --------------------------------- Assignee: Daniel Thayer > topic/dnthayer/py3-compat > ------------------------- > > Key: BIT-1455 > URL: https://bro-tracker.atlassian.net/browse/BIT-1455 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.5 > > Attachments: diag.log > > > The branch topic/dnthayer/py3-compat in the btest repo contains the > following changes: > 1) update btest to work on Python 3 (still works with Python 2.6 and 2.7) > 2) fixed two bugs in btest-diff that could result in a failing test that appears to succeed > 3) add more test cases > 4) fix measure-time test to not be skipped on some systems that have all prereqs > 5) fixed a test that set TEST_DIFF_CANONIFIER to wrong path > 6) improvements to the README -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 17:22:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 21 Aug 2015 19:22:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1456) BRO plugin install should honor DESTDIR= convention In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1456: ------------------------------ Status: Merge Request (was: Open) Assignee: (was: Robin Sommer) > BRO plugin install should honor DESTDIR= convention > --------------------------------------------------- > > Key: BIT-1456 > URL: https://bro-tracker.atlassian.net/browse/BIT-1456 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: Jeff Barber > Fix For: 2.5 > > Attachments: 0001-Make-plugin-install-honor-DESTDIR-convention.patch > > > When you install a plugin using the standard BRO plugin build, it doesn't honor the DESTDIR= convention. Easy one-line fix attached. > This patch is for the cmake repo (git://git.bro.org/cmake) -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 17:48:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 21 Aug 2015 19:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1455) topic/dnthayer/py3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21713#comment-21713 ] Daniel Thayer commented on BIT-1455: ------------------------------------ The 4 test failures in the Bro repo are expected (those tests need to be fixed). See commit 645ee1ed23bf59b666548ddb14c9229127c6ddb0 in my branch for a full explanation (btest-diff was broken, and so we didn't notice that some tests are broken). For the tests/measure-time-options.test, it works for me (debian 8, python 2.7.9 and 3.4.2). Could you give me more info about what you're seeing? > topic/dnthayer/py3-compat > ------------------------- > > Key: BIT-1455 > URL: https://bro-tracker.atlassian.net/browse/BIT-1455 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.5 > > Attachments: diag.log > > > The branch topic/dnthayer/py3-compat in the btest repo contains the > following changes: > 1) update btest to work on Python 3 (still works with Python 2.6 and 2.7) > 2) fixed two bugs in btest-diff that could result in a failing test that appears to succeed > 3) add more test cases > 4) fix measure-time test to not be skipped on some systems that have all prereqs > 5) fixed a test that set TEST_DIFF_CANONIFIER to wrong path > 6) improvements to the README -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 17:55:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 21 Aug 2015 19:55:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1457?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1457: ------------------------------ Status: Closed (was: Merge Request) > [PATCH] add support for MIME type video/MP2T > -------------------------------------------- > > Key: BIT-1457 > URL: https://bro-tracker.atlassian.net/browse/BIT-1457 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: Mike Freemon > Attachments: bro-git-patch-suppport-mime-type-video-MP2T.patch > > > This is a merge request that adds support for MIME type video/MP2T -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 17:55:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 21 Aug 2015 19:55:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1456) BRO plugin install should honor DESTDIR= convention In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1456: ------------------------------ Status: Closed (was: Merge Request) > BRO plugin install should honor DESTDIR= convention > --------------------------------------------------- > > Key: BIT-1456 > URL: https://bro-tracker.atlassian.net/browse/BIT-1456 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: Jeff Barber > Fix For: 2.5 > > Attachments: 0001-Make-plugin-install-honor-DESTDIR-convention.patch > > > When you install a plugin using the standard BRO plugin build, it doesn't honor the DESTDIR= convention. Easy one-line fix attached. > This patch is for the cmake repo (git://git.bro.org/cmake) -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 18:00:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 21 Aug 2015 20:00:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1455) topic/dnthayer/py3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21714#comment-21714 ] Robin Sommer commented on BIT-1455: ----------------------------------- > The 4 test failures in the Bro repo are expected Ah, I saw the commit, but didn't make the connection to these tests. Can you see if you can fix them? > Could you give me more info about what you're seeing? Not much more than what I wrote unfortunately. Here's what it looks like: {noformat} > .btest -dv tests/measure-time-options.test tests.measure-time-options ... > test "`uname`" = "Linux" > which perf > perf stat -o /dev/null true 2> /dev/null > perf stat -x " " -e instructions true 2>&1 | grep -vq "not supported" > test -f btest.cfg || cp /home/robin/bro/master/aux/btest/testing/btest.tests.cfg btest.cfg; echo >/dev/null tests.measure-time-options > btest -D %INPUT >>output 2>&1 > echo ----- >>output > test '!' -e Baseline/_Timing > test '!' -e mytimings > btest -DT %INPUT >>output 2>&1 ... tests.measure-time-options failed % 'btest -DT /home/robin/bro/master/aux/btest/testing/.tmp/tests.measure-time-options/measure-time-options.test >>output 2>&1' failed unexpectedly (exit code 1) % cat .stderr 1 of 1 test failed ../testing> cat .tmp/tests.measure-time-options/.tmp/measure-time-options/.stderr Usage: awk [POSIX or GNU style options] -f progfile [--] file ... Usage: awk [POSIX or GNU style options] [--] 'program' file ... POSIX options: GNU long options: (standard) -f progfile --file=progfile -F fs --field-separator=fs [rest of the usage message] {noformat} Fore debugging I replaced the awk with something else just recording arguments and it's indeed just being called without any of them, which triggers the usage message. > topic/dnthayer/py3-compat > ------------------------- > > Key: BIT-1455 > URL: https://bro-tracker.atlassian.net/browse/BIT-1455 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.5 > > Attachments: diag.log > > > The branch topic/dnthayer/py3-compat in the btest repo contains the > following changes: > 1) update btest to work on Python 3 (still works with Python 2.6 and 2.7) > 2) fixed two bugs in btest-diff that could result in a failing test that appears to succeed > 3) add more test cases > 4) fix measure-time test to not be skipped on some systems that have all prereqs > 5) fixed a test that set TEST_DIFF_CANONIFIER to wrong path > 6) improvements to the README -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 23:14:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Sat, 22 Aug 2015 01:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1455) topic/dnthayer/py3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1455: ------------------------------- Status: Merge Request (was: Open) Assignee: (was: Daniel Thayer) > topic/dnthayer/py3-compat > ------------------------- > > Key: BIT-1455 > URL: https://bro-tracker.atlassian.net/browse/BIT-1455 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Fix For: 2.5 > > Attachments: diag.log > > > The branch topic/dnthayer/py3-compat in the btest repo contains the > following changes: > 1) update btest to work on Python 3 (still works with Python 2.6 and 2.7) > 2) fixed two bugs in btest-diff that could result in a failing test that appears to succeed > 3) add more test cases > 4) fix measure-time test to not be skipped on some systems that have all prereqs > 5) fixed a test that set TEST_DIFF_CANONIFIER to wrong path > 6) improvements to the README -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Fri Aug 21 23:14:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Sat, 22 Aug 2015 01:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1455) topic/dnthayer/py3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21715#comment-21715 ] Daniel Thayer commented on BIT-1455: ------------------------------------ OK, the measure-time-options test was broken, but I didn't notice because my system uses mawk instead of gawk (the test would fail only if gawk was installed). Fixed. > topic/dnthayer/py3-compat > ------------------------- > > Key: BIT-1455 > URL: https://bro-tracker.atlassian.net/browse/BIT-1455 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.5 > > Attachments: diag.log > > > The branch topic/dnthayer/py3-compat in the btest repo contains the > following changes: > 1) update btest to work on Python 3 (still works with Python 2.6 and 2.7) > 2) fixed two bugs in btest-diff that could result in a failing test that appears to succeed > 3) add more test cases > 4) fix measure-time test to not be skipped on some systems that have all prereqs > 5) fixed a test that set TEST_DIFF_CANONIFIER to wrong path > 6) improvements to the README -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From noreply at bro.org Sat Aug 22 00:00:18 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 22 Aug 2015 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508220700.t7M70IsA019684@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ----------------------------- BIT-1455 [1] BTest Daniel Thayer - 2015-08-22 2.5 Normal topic/dnthayer/py3-compat [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- --------------------------------------------------- #42 [3] bro J-Gras [4] 2015-08-22 Improved logging of Base64 errors [5] #40 [6] bro knielander [7] 2015-08-22 Enable linux fanout mode with Bro [8] #6 [9] bro-plugins jswaro [10] 2015-08-22 Adding initial conversion of TCPRS to a plugin [11] [1] BIT-1455 https://bro-tracker.atlassian.net/browse/BIT-1455 [2] py3-compat https://github.com/bro/btest/tree/topic/dnthayer/py3-compat [3] Pull Request #42 https://github.com/bro/bro/pull/42 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [6] Pull Request #40 https://github.com/bro/bro/pull/40 [7] knielander https://github.com/knielander [8] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [9] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [10] jswaro https://github.com/jswaro [11] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From jira at bro-tracker.atlassian.net Sat Aug 22 08:35:01 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Sat, 22 Aug 2015 10:35:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21716#comment-21716 ] Justin Azoff commented on BIT-1465: ----------------------------------- If anyone is wondering, the workaround to get bro to build is export ASAN_OPTIONS=detect_leaks=0 > heap overflow in GetTimeFromAsn1 > -------------------------------- > > Key: BIT-1465 > URL: https://bro-tracker.atlassian.net/browse/BIT-1465 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: gettimefromasn_bug.pcap > > > This pcap requires -C > {code} > # bro -C -r gettimefromasn_bug.pcap > ================================================================= > ==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8 > READ of size 1 at 0x6020001c0001 thread T0 > #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7 > #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31 > #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27 > #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10 > #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string, std::allocator > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2 > #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3 > #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10 > #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25 > #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19 > #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2 > #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30 > #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31 > #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21 > #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19 > #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20 > #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35 > #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4 > #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4 > #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4 > #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2 > #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4 > #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2 > #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12 > #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9 > #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381 > #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Sat Aug 22 12:09:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Sat, 22 Aug 2015 14:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1467: ---------------------------------- Summary: several tests are broken in scripts/policy/protocols/ssl Key: BIT-1467 URL: https://bro-tracker.atlassian.net/browse/BIT-1467 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Daniel Thayer Fix For: 2.5 Due to recent bug fixes in the btest repo (see BIT-1455), it was discovered that several tests in the bro repo now fail due to problems with their canonifier. -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Sat Aug 22 12:10:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Sat, 22 Aug 2015 14:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1467: ---------------------------------- Assignee: Daniel Thayer > several tests are broken in scripts/policy/protocols/ssl > -------------------------------------------------------- > > Key: BIT-1467 > URL: https://bro-tracker.atlassian.net/browse/BIT-1467 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.5 > > > Due to recent bug fixes in the btest repo (see BIT-1455), it was > discovered that several tests in the bro repo now fail due to problems > with their canonifier. -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From jira at bro-tracker.atlassian.net Sat Aug 22 19:45:02 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Sat, 22 Aug 2015 21:45:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21717#comment-21717 ] Johanna Amann commented on BIT-1457: ------------------------------------ I know, this comment comes a bit late, but... Seth, does this look similar to the regular expressions that trigger a state explosion? I am not quite sure, but it sounds a bit like what you described if I remember it correctly... > [PATCH] add support for MIME type video/MP2T > -------------------------------------------- > > Key: BIT-1457 > URL: https://bro-tracker.atlassian.net/browse/BIT-1457 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: Mike Freemon > Attachments: bro-git-patch-suppport-mime-type-video-MP2T.patch > > > This is a merge request that adds support for MIME type video/MP2T -- This message was sent by Atlassian JIRA (v7.0.0-OD-01-193#70101) From noreply at bro.org Sun Aug 23 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 23 Aug 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508230700.t7N70LmL027643@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ----------------------------- BIT-1455 [1] BTest Daniel Thayer - 2015-08-22 2.5 Normal topic/dnthayer/py3-compat [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- --------------------------------------------------- #42 [3] bro J-Gras [4] 2015-08-22 Improved logging of Base64 errors [5] #40 [6] bro knielander [7] 2015-08-22 Enable linux fanout mode with Bro [8] #6 [9] bro-plugins jswaro [10] 2015-08-22 Adding initial conversion of TCPRS to a plugin [11] [1] BIT-1455 https://bro-tracker.atlassian.net/browse/BIT-1455 [2] py3-compat https://github.com/bro/btest/tree/topic/dnthayer/py3-compat [3] Pull Request #42 https://github.com/bro/bro/pull/42 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [6] Pull Request #40 https://github.com/bro/bro/pull/40 [7] knielander https://github.com/knielander [8] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [9] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [10] jswaro https://github.com/jswaro [11] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From noreply at bro.org Mon Aug 24 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 24 Aug 2015 00:00:24 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508240700.t7O70OVu024077@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ----------------------------- BIT-1455 [1] BTest Daniel Thayer - 2015-08-22 2.5 Normal topic/dnthayer/py3-compat [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- --------------------------------------------------- #42 [3] bro J-Gras [4] 2015-08-22 Improved logging of Base64 errors [5] #40 [6] bro knielander [7] 2015-08-22 Enable linux fanout mode with Bro [8] #6 [9] bro-plugins jswaro [10] 2015-08-22 Adding initial conversion of TCPRS to a plugin [11] [1] BIT-1455 https://bro-tracker.atlassian.net/browse/BIT-1455 [2] py3-compat https://github.com/bro/btest/tree/topic/dnthayer/py3-compat [3] Pull Request #42 https://github.com/bro/bro/pull/42 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [6] Pull Request #40 https://github.com/bro/bro/pull/40 [7] knielander https://github.com/knielander [8] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [9] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [10] jswaro https://github.com/jswaro [11] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From jira at bro-tracker.atlassian.net Mon Aug 24 09:48:01 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Mon, 24 Aug 2015 11:48:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1466) Need to document Q and I for conn.log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1466?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu reassigned BIT-1466: ------------------------------------ Assignee: Vlad Grigorescu > Need to document Q and I for conn.log > ------------------------------------- > > Key: BIT-1466 > URL: https://bro-tracker.atlassian.net/browse/BIT-1466 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Documentation > Affects Versions: 2.4 > Environment: Web site documentation > Reporter: james.lay > Assignee: Vlad Grigorescu > Priority: Trivial > Labels: documentation > > Need to document Q and I in conn.log, per Seth's request -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From robin at icir.org Mon Aug 24 10:50:04 2015 From: robin at icir.org (Robin Sommer) Date: Mon, 24 Aug 2015 10:50:04 -0700 Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: References: Message-ID: <20150824175004.GD3571@icir.org> > Seth, does this look similar to the regular expressions that trigger a > state explosion? Hmm ... That is a good point. The pattern should be ok on its own, but might be problematic in combination with others. It doesn't look like there's much of a better way to detect this type, though, and it's anchored to a specific byte at the beginning, which means it won't kick in that often. Seth, any opinion on whether to take it out? From jira at bro-tracker.atlassian.net Mon Aug 24 10:51:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 24 Aug 2015 12:51:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21800#comment-21800 ] Robin Sommer commented on BIT-1457: ----------------------------------- Hmm ... That is a good point. The pattern should be ok on its own, but might be problematic in combination with others. It doesn't look like there's much of a better way to detect this type, though, and it's anchored to a specific byte at the beginning, which means it won't kick in that often. Seth, any opinion on whether to take it out? > [PATCH] add support for MIME type video/MP2T > -------------------------------------------- > > Key: BIT-1457 > URL: https://bro-tracker.atlassian.net/browse/BIT-1457 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: Mike Freemon > Attachments: bro-git-patch-suppport-mime-type-video-MP2T.patch > > > This is a merge request that adds support for MIME type video/MP2T -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Mon Aug 24 11:30:01 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Mon, 24 Aug 2015 13:30:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1466) Need to document Q and I for conn.log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21801#comment-21801 ] Vlad Grigorescu commented on BIT-1466: -------------------------------------- Fixed in topic/vladg/bit-1466 > Need to document Q and I for conn.log > ------------------------------------- > > Key: BIT-1466 > URL: https://bro-tracker.atlassian.net/browse/BIT-1466 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Documentation > Affects Versions: 2.4 > Environment: Web site documentation > Reporter: james.lay > Priority: Trivial > Labels: documentation > > Need to document Q and I in conn.log, per Seth's request -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Mon Aug 24 11:30:01 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Mon, 24 Aug 2015 13:30:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1466) Need to document Q and I for conn.log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1466?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1466: --------------------------------- Status: Merge Request (was: Open) Assignee: (was: Vlad Grigorescu) > Need to document Q and I for conn.log > ------------------------------------- > > Key: BIT-1466 > URL: https://bro-tracker.atlassian.net/browse/BIT-1466 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Documentation > Affects Versions: 2.4 > Environment: Web site documentation > Reporter: james.lay > Priority: Trivial > Labels: documentation > > Need to document Q and I in conn.log, per Seth's request -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From noreply at bro.org Tue Aug 25 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 25 Aug 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508250700.t7P70M4F031688@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------- ------------- ---------- ---------- ------------- ---------- ------------------------------------- BIT-1466 [1] Documentation james.lay - 2015-08-24 - Trivial Need to document Q and I for conn.log BIT-1455 [2] BTest Daniel Thayer - 2015-08-22 2.5 Normal topic/dnthayer/py3-compat [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- --------------------------------------------------- #42 [4] bro J-Gras [5] 2015-08-24 Improved logging of Base64 errors [6] #40 [7] bro knielander [8] 2015-08-24 Enable linux fanout mode with Bro [9] #6 [10] bro-plugins jswaro [11] 2015-08-24 Adding initial conversion of TCPRS to a plugin [12] [1] BIT-1466 https://bro-tracker.atlassian.net/browse/BIT-1466 [2] BIT-1455 https://bro-tracker.atlassian.net/browse/BIT-1455 [3] py3-compat https://github.com/bro/btest/tree/topic/dnthayer/py3-compat [4] Pull Request #42 https://github.com/bro/bro/pull/42 [5] J-Gras https://github.com/J-Gras [6] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [7] Pull Request #40 https://github.com/bro/bro/pull/40 [8] knielander https://github.com/knielander [9] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [10] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [11] jswaro https://github.com/jswaro [12] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From jira at bro-tracker.atlassian.net Tue Aug 25 15:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 25 Aug 2015 17:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1465: ---------------------------------- Assignee: Johanna Amann > heap overflow in GetTimeFromAsn1 > -------------------------------- > > Key: BIT-1465 > URL: https://bro-tracker.atlassian.net/browse/BIT-1465 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Johanna Amann > Attachments: gettimefromasn_bug.pcap > > > This pcap requires -C > {code} > # bro -C -r gettimefromasn_bug.pcap > ================================================================= > ==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8 > READ of size 1 at 0x6020001c0001 thread T0 > #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7 > #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31 > #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27 > #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10 > #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string, std::allocator > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2 > #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3 > #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10 > #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25 > #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19 > #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2 > #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30 > #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31 > #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21 > #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19 > #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20 > #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35 > #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4 > #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4 > #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4 > #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2 > #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4 > #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2 > #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12 > #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9 > #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381 > #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Tue Aug 25 15:47:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 25 Aug 2015 17:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1466) Need to document Q and I for conn.log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1466?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1466: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Need to document Q and I for conn.log > ------------------------------------- > > Key: BIT-1466 > URL: https://bro-tracker.atlassian.net/browse/BIT-1466 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Documentation > Affects Versions: 2.4 > Environment: Web site documentation > Reporter: james.lay > Priority: Trivial > Labels: documentation > > Need to document Q and I in conn.log, per Seth's request -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Tue Aug 25 15:47:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 25 Aug 2015 17:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1455) topic/dnthayer/py3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1455?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1455: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/dnthayer/py3-compat > ------------------------- > > Key: BIT-1455 > URL: https://bro-tracker.atlassian.net/browse/BIT-1455 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Fix For: 2.5 > > Attachments: diag.log > > > The branch topic/dnthayer/py3-compat in the btest repo contains the > following changes: > 1) update btest to work on Python 3 (still works with Python 2.6 and 2.7) > 2) fixed two bugs in btest-diff that could result in a failing test that appears to succeed > 3) add more test cases > 4) fix measure-time test to not be skipped on some systems that have all prereqs > 5) fixed a test that set TEST_DIFF_CANONIFIER to wrong path > 6) improvements to the README -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From noreply at bro.org Wed Aug 26 00:00:17 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 26 Aug 2015 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508260700.t7Q70H8k022197@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- -------------------------------------------------- #42 [1] bro J-Gras [2] 2015-08-24 Improved logging of Base64 errors [3] #40 [4] bro knielander [5] 2015-08-24 Enable linux fanout mode with Bro [6] #6 [7] bro-plugins jswaro [8] 2015-08-24 Adding initial conversion of TCPRS to a plugin [9] [1] Pull Request #42 https://github.com/bro/bro/pull/42 [2] J-Gras https://github.com/J-Gras [3] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [4] Pull Request #40 https://github.com/bro/bro/pull/40 [5] knielander https://github.com/knielander [6] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [7] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [8] jswaro https://github.com/jswaro [9] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From seth at icir.org Wed Aug 26 06:26:38 2015 From: seth at icir.org (Seth Hall) Date: Wed, 26 Aug 2015 09:26:38 -0400 Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: <20150824175004.GD3571@icir.org> References: <20150824175004.GD3571@icir.org> Message-ID: <00679D58-1F01-4F82-89AD-86C2DE492B41@icir.org> > On Aug 24, 2015, at 1:50 PM, Robin Sommer wrote: > > Seth, any opinion on whether to take it out? I suspect it?s probably ok. The biggest offenders are patterns that start with .* Although I do remember that there was some issue with patterns that repeat a repeated body. .Seth From jira at bro-tracker.atlassian.net Wed Aug 26 06:28:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 26 Aug 2015 08:28:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21802#comment-21802 ] Seth Hall commented on BIT-1457: -------------------------------- I suspect it?s probably ok. The biggest offenders are patterns that start with .* Although I do remember that there was some issue with patterns that repeat a repeated body. .Seth > [PATCH] add support for MIME type video/MP2T > -------------------------------------------- > > Key: BIT-1457 > URL: https://bro-tracker.atlassian.net/browse/BIT-1457 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: Mike Freemon > Attachments: bro-git-patch-suppport-mime-type-video-MP2T.patch > > > This is a merge request that adds support for MIME type video/MP2T -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From robin at icir.org Wed Aug 26 07:43:57 2015 From: robin at icir.org (Robin Sommer) Date: Wed, 26 Aug 2015 07:43:57 -0700 Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: <00679D58-1F01-4F82-89AD-86C2DE492B41@icir.org> References: <20150824175004.GD3571@icir.org> <00679D58-1F01-4F82-89AD-86C2DE492B41@icir.org> Message-ID: <20150826144357.GU41831@icir.org> On Wed, Aug 26, 2015 at 09:26 -0400, you wrote: > Although I do remember that there was some issue with patterns that repeat a repeated body. I think it could become a problem if another similar pattern aligns with this one on a DFA hot path. Ok, let's leave it in for now but keep it in mind if we see trouble. At least the timing measurements didn't show problems with the test-suite after I merged this (while I think I recall indeed seeing improvements there when you did the DPD regexp changes a while ago). Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From jira at bro-tracker.atlassian.net Wed Aug 26 07:45:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 26 Aug 2015 09:45:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21803#comment-21803 ] Robin Sommer commented on BIT-1457: ----------------------------------- I think it could become a problem if another similar pattern aligns with this one on a DFA hot path. Ok, let's leave it in for now but keep it in mind if we see trouble. At least the timing measurements didn't show problems with the test-suite after I merged this (while I think I recall indeed seeing improvements there when you did the DPD regexp changes a while ago). Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin > [PATCH] add support for MIME type video/MP2T > -------------------------------------------- > > Key: BIT-1457 > URL: https://bro-tracker.atlassian.net/browse/BIT-1457 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: Mike Freemon > Attachments: bro-git-patch-suppport-mime-type-video-MP2T.patch > > > This is a merge request that adds support for MIME type video/MP2T -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From seth at icir.org Wed Aug 26 08:06:52 2015 From: seth at icir.org (Seth Hall) Date: Wed, 26 Aug 2015 11:06:52 -0400 Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: <20150826144357.GU41831@icir.org> References: <20150824175004.GD3571@icir.org> <00679D58-1F01-4F82-89AD-86C2DE492B41@icir.org> <20150826144357.GU41831@icir.org> Message-ID: <1EBABF05-DC37-49CD-8EAD-61B28104085B@icir.org> > On Aug 26, 2015, at 10:43 AM, Robin Sommer wrote: > > At least the timing measurements > didn't show problems with the test-suite after I merged this (while I > think I recall indeed seeing improvements there when you did the DPD > regexp changes a while ago). Yep, there were performance improvements after we fixed the regexp stuff before. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jira at bro-tracker.atlassian.net Wed Aug 26 08:08:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 26 Aug 2015 10:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1457) [PATCH] add support for MIME type video/MP2T In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21804#comment-21804 ] Seth Hall commented on BIT-1457: -------------------------------- Yep, there were performance improvements after we fixed the regexp stuff before. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ > [PATCH] add support for MIME type video/MP2T > -------------------------------------------- > > Key: BIT-1457 > URL: https://bro-tracker.atlassian.net/browse/BIT-1457 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: Mike Freemon > Attachments: bro-git-patch-suppport-mime-type-video-MP2T.patch > > > This is a merge request that adds support for MIME type video/MP2T -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Wed Aug 26 10:02:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 26 Aug 2015 12:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1468) logging documentation incomplete In-Reply-To: References: Message-ID: Johanna Amann created BIT-1468: ---------------------------------- Summary: logging documentation incomplete Key: BIT-1468 URL: https://bro-tracker.atlassian.net/browse/BIT-1468 Project: Bro Issue Tracker Issue Type: Problem Components: Website Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.5 https://www.bro.org/development/logging.html currently is incomplete; e.g. rotation is empty and the next section contains a sentence missing a link. I am not even sure if we link that page from anywhere, and what its relationship to https://www.bro.org/sphinx-git/frameworks/logging.html is - but it is one of the top search results on google. -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From noreply at bro.org Thu Aug 27 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 27 Aug 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508270700.t7R70Lvm009662@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- -------------------------------------------------- #42 [1] bro J-Gras [2] 2015-08-24 Improved logging of Base64 errors [3] #40 [4] bro knielander [5] 2015-08-24 Enable linux fanout mode with Bro [6] #6 [7] bro-plugins jswaro [8] 2015-08-24 Adding initial conversion of TCPRS to a plugin [9] [1] Pull Request #42 https://github.com/bro/bro/pull/42 [2] J-Gras https://github.com/J-Gras [3] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [4] Pull Request #40 https://github.com/bro/bro/pull/40 [5] knielander https://github.com/knielander [6] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [7] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [8] jswaro https://github.com/jswaro [9] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From jira at bro-tracker.atlassian.net Thu Aug 27 21:56:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 27 Aug 2015 23:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1465: ------------------------------- Status: Merge Request (was: Open) > heap overflow in GetTimeFromAsn1 > -------------------------------- > > Key: BIT-1465 > URL: https://bro-tracker.atlassian.net/browse/BIT-1465 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: gettimefromasn_bug.pcap > > > This pcap requires -C > {code} > # bro -C -r gettimefromasn_bug.pcap > ================================================================= > ==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8 > READ of size 1 at 0x6020001c0001 thread T0 > #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7 > #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31 > #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27 > #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10 > #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string, std::allocator > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2 > #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3 > #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10 > #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25 > #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19 > #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2 > #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30 > #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31 > #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21 > #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19 > #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20 > #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35 > #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4 > #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4 > #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4 > #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2 > #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4 > #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2 > #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12 > #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9 > #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381 > #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Thu Aug 27 21:56:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 27 Aug 2015 23:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1465: ---------------------------------- Assignee: (was: Johanna Amann) > heap overflow in GetTimeFromAsn1 > -------------------------------- > > Key: BIT-1465 > URL: https://bro-tracker.atlassian.net/browse/BIT-1465 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: gettimefromasn_bug.pcap > > > This pcap requires -C > {code} > # bro -C -r gettimefromasn_bug.pcap > ================================================================= > ==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8 > READ of size 1 at 0x6020001c0001 thread T0 > #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7 > #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31 > #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27 > #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10 > #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string, std::allocator > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2 > #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3 > #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10 > #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25 > #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19 > #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2 > #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30 > #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31 > #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21 > #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19 > #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20 > #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35 > #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4 > #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4 > #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4 > #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2 > #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4 > #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2 > #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12 > #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9 > #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381 > #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Thu Aug 27 21:56:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 27 Aug 2015 23:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21805#comment-21805 ] Johanna Amann commented on BIT-1465: ------------------------------------ topic/johanna/BIT-1465 fixes this and is generally much more cautious reading parsing ASN.1 dates. Sorry, no testcases at the moment; I did not manage to trigger any of the warning messages that are given in the sourcecode through openssl sanitation of the input data. Justin, could you take a look if this fixes the problem for you too? I was never to trigger it with your trace. > heap overflow in GetTimeFromAsn1 > -------------------------------- > > Key: BIT-1465 > URL: https://bro-tracker.atlassian.net/browse/BIT-1465 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Johanna Amann > Attachments: gettimefromasn_bug.pcap > > > This pcap requires -C > {code} > # bro -C -r gettimefromasn_bug.pcap > ================================================================= > ==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8 > READ of size 1 at 0x6020001c0001 thread T0 > #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7 > #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31 > #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27 > #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10 > #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string, std::allocator > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2 > #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3 > #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10 > #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25 > #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19 > #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2 > #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30 > #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31 > #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21 > #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19 > #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20 > #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35 > #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4 > #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4 > #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4 > #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2 > #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4 > #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2 > #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12 > #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9 > #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381 > #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Thu Aug 27 22:15:01 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Fri, 28 Aug 2015 00:15:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21806#comment-21806 ] Justin Azoff commented on BIT-1465: ----------------------------------- I can no longer reproduce the crash > heap overflow in GetTimeFromAsn1 > -------------------------------- > > Key: BIT-1465 > URL: https://bro-tracker.atlassian.net/browse/BIT-1465 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: gettimefromasn_bug.pcap > > > This pcap requires -C > {code} > # bro -C -r gettimefromasn_bug.pcap > ================================================================= > ==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8 > READ of size 1 at 0x6020001c0001 thread T0 > #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7 > #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31 > #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27 > #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10 > #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string, std::allocator > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2 > #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3 > #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10 > #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25 > #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19 > #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2 > #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30 > #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31 > #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21 > #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19 > #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20 > #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35 > #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4 > #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4 > #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4 > #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2 > #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4 > #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2 > #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12 > #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9 > #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381 > #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From noreply at bro.org Fri Aug 28 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 28 Aug 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508280700.t7S70LdV022478@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------ ---------- ---------- ------------- ---------- -------------------------------- BIT-1465 [1] Bro Justin Azoff - 2015-08-28 - Normal heap overflow in GetTimeFromAsn1 Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- --------------------------------------------------- #42 [2] bro J-Gras [3] 2015-08-24 Improved logging of Base64 errors [4] #40 [5] bro knielander [6] 2015-08-24 Enable linux fanout mode with Bro [7] #6 [8] bro-plugins jswaro [9] 2015-08-24 Adding initial conversion of TCPRS to a plugin [10] [1] BIT-1465 https://bro-tracker.atlassian.net/browse/BIT-1465 [2] Pull Request #42 https://github.com/bro/bro/pull/42 [3] J-Gras https://github.com/J-Gras [4] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [5] Pull Request #40 https://github.com/bro/bro/pull/40 [6] knielander https://github.com/knielander [7] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [8] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [9] jswaro https://github.com/jswaro [10] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From jira at bro-tracker.atlassian.net Fri Aug 28 12:17:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 28 Aug 2015 14:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1459) bro segfaults at analyzer::mime::MIME_Entity::ParseFieldParameters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1459?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1459: ---------------------------------- Assignee: Johanna Amann > bro segfaults at analyzer::mime::MIME_Entity::ParseFieldParameters > ------------------------------------------------------------------- > > Key: BIT-1459 > URL: https://bro-tracker.atlassian.net/browse/BIT-1459 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: 2xXeon E5540, 64GB RAM, Linux 3.18.11, PF_RING 6.0.3 ZC (zbalance_ipc), bro cluster > Reporter: Alexander Zatserkovnyy > Assignee: Johanna Amann > Labels: mime > > bro worker segfaults occurred from time to time after upgrade to bro 2.4-78 . Looks like the problem rise in analyzer::mime::MIME_Entity::ParseFieldParameters (/usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126). A couple of core listings follows: > Core was generated by `/usr/local/bin/bro -i zc:99 at 2 -U .status -p broctl -p broctl-live -p local -p w'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x8aae540, len=16, len at entry=27, data=0x2447faec "(UploadBoundary)", data at entry=0x2447fae1 "; boundary=(UploadBoundary)") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > 126 static data_chunk_t get_data_chunk(BroString* s) > (gdb) backtrace > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x8aae540, len=16, len at entry=27, data=0x2447faec "(UploadBoundary)", data at entry=0x2447fae1 "; boundary=(UploadBoundary)") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > #1 0x0000000000769f7c in analyzer::mime::MIME_Entity::ParseContentTypeField (this=this at entry=0x8aae540, h=h at entry=0x521ddc0) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:799 > #2 0x000000000076a1d1 in analyzer::mime::MIME_Entity::ParseMIMEHeader (this=this at entry=0x8aae540, h=h at entry=0x521ddc0) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:763 > #3 0x000000000076b638 in analyzer::mime::MIME_Entity::FinishHeader (this=this at entry=0x8aae540) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:735 > #4 0x000000000076b821 in analyzer::mime::MIME_Entity::NewHeader (this=0x8aae540, len=13, data=0x1704a3c0 "Host: fegi.ru") at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:699 > #5 0x0000000000721490 in analyzer::http::HTTP_Analyzer::DeliverStream (this=0xbd9f080, len=13, data=0x1704a3c0 "Host: fegi.ru", is_orig=) > at /usr/src/other/bro/src/analyzer/protocol/http/HTTP.cc:1038 > #6 0x00000000007f0ded in analyzer::tcp::ContentLine_Analyzer::DoDeliverOnce (this=this at entry=0x14fbe090, len=, len at entry=84, data=, > data at entry=0xcd56528 "Host: fegi.ru\r\nContent-Length: 185\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n\r\n") at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:258 > #7 0x00000000007f0fbb in analyzer::tcp::ContentLine_Analyzer::DoDeliver (this=0x14fbe090, len=84, > data=0xcd56528 "Host: fegi.ru\r\nContent-Length: 185\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n\r\n") at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:200 > #8 0x00000000007f07b0 in analyzer::tcp::ContentLine_Analyzer::DeliverStream (this=0x14fbe090, len=, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:108 > #9 0x0000000000861216 in analyzer::Analyzer::NextStream (this=0x14fbe090, len=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:245 > #10 0x00000000008619a6 in analyzer::Analyzer::ForwardStream (this=0x14ea0000, len=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:331 > #11 0x00000000007efb49 in analyzer::tcp::TCP_Reassembler::DeliverBlock (this=this at entry=0xc6d7800, seq=seq at entry=1, len=len at entry=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"...) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:650 > #12 0x00000000007efe79 in analyzer::tcp::TCP_Reassembler::BlockInserted (this=0xc6d7800, start_block=) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:396 > #13 0x00000000007ef9cc in analyzer::tcp::TCP_Reassembler::DataSent (this=0xc6d7800, t=, seq=, len=, len at entry=444, data=, > data at entry=0x7f5b768985b6 , replaying=replaying at entry=true) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:495 > #14 0x00000000007ee341 in analyzer::tcp::TCP_Endpoint::DataSent (this=this at entry=0x710d620, t=, seq=seq at entry=1, len=444, caplen=444, > data=0x7f5b768985b6 , ip=ip at entry=0x7ffcb14c4f90, tp=tp at entry=0x7f5b768985a2) > at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Endpoint.cc:207 > #15 0x00000000007eba12 in DeliverData (flags=..., is_orig=, rel_data_seq=1, endpoint=0x710d620, tp=0x7f5b768985a2, ip=0x7ffcb14c4f90, caplen=, len=, > data=, t=, this=0x14ea0000) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:982 > #16 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0x14ea0000, len=444, data=0x7f5b768985b6 , is_orig=, seq=, > ip=0x7ffcb14c4f90, caplen=444) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:1382 > #17 0x00000000008610c2 in analyzer::Analyzer::NextPacket (this=0x14ea0000, len=464, data=0x7f5b768985a2 , is_orig=, > seq=18446744073709551615, ip=0x7ffcb14c4f90, caplen=464) at /usr/src/other/bro/src/analyzer/Analyzer.cc:222 > #18 0x000000000056979d in Connection::NextPacket (this=this at entry=0x1d1b6540, t=t at entry=1439902857.1053071, is_orig=is_orig at entry=1, ip=ip at entry=0x7ffcb14c4f90, len=len at entry=464, > caplen=caplen at entry=464, data=@0x7ffcb14c4e08: 0x7f5b768985a2 , record_packet=, record_content=, > pkt=, pkt at entry=0x2821530) at /usr/src/other/bro/src/Conn.cc:260 > #19 0x00000000006038a0 in NetSessions::DoNextPacket (this=this at entry=0x2d603c0, t=t at entry=1439902857.1053071, pkt=pkt at entry=0x2821530, ip_hdr=ip_hdr at entry=0x7ffcb14c4f90, > encapsulation=encapsulation at entry=0x0) at /usr/src/other/bro/src/Sessions.cc:735 > #20 0x0000000000604824 in NetSessions::NextPacket (this=0x2d603c0, t=t at entry=1439902857.1053071, pkt=pkt at entry=0x2821530) at /usr/src/other/bro/src/Sessions.cc:207 > #21 0x00000000005d456f in net_packet_dispatch (t=1439902857.1053071, pkt=pkt at entry=0x2821530, src_ps=src_ps at entry=0x2821500) at /usr/src/other/bro/src/Net.cc:273 > #22 0x0000000000834539 in iosource::PktSrc::Process (this=0x2821500) at /usr/src/other/bro/src/iosource/PktSrc.cc:265 > #23 0x00000000005d4a0f in net_run () at /usr/src/other/bro/src/Net.cc:321 > #24 0x00000000005346dc in main (argc=, argv=) at /usr/src/other/bro/src/main.cc:1191 > --------------------------------------------------------------------------------------------------------------------- > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x16141d40, len=0, len at entry=11, data=0x1c0d0e9c "", data at entry=0x1c0d0e91 "; boundary=") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > #1 0x0000000000769f7c in analyzer::mime::MIME_Entity::ParseContentTypeField (this=this at entry=0x16141d40, h=h at entry=0x1a46c740) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:799 > #2 0x000000000076a1d1 in analyzer::mime::MIME_Entity::ParseMIMEHeader (this=this at entry=0x16141d40, h=h at entry=0x1a46c740) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:763 > #3 0x000000000076b638 in analyzer::mime::MIME_Entity::FinishHeader (this=this at entry=0x16141d40) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:735 > #4 0x000000000076b821 in analyzer::mime::MIME_Entity::NewHeader (this=0x16141d40, len=175, > data=0xd0dee00 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:699 > #5 0x0000000000721490 in analyzer::http::HTTP_Analyzer::DeliverStream (this=0xe7c4080, len=175, > data=0xd0dee00 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36", > is_orig=) at /usr/src/other/bro/src/analyzer/protocol/http/HTTP.cc:1038 > #6 0x00000000007f0ded in analyzer::tcp::ContentLine_Analyzer::DoDeliverOnce (this=this at entry=0xe806450, len=, len at entry=265, data=, > data at entry=0x21c2647 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36\r\nAccept-Encoding: gzip, "...) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:258 > #7 0x00000000007f0fbb in analyzer::tcp::ContentLine_Analyzer::DoDeliver (this=0xe806450, len=265, > data=0x21c2647 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36\r\nAccept-Encoding: gzip, "...) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:200 > #8 0x00000000007f07b0 in analyzer::tcp::ContentLine_Analyzer::DeliverStream (this=0xe806450, len=, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:108 > #9 0x0000000000861216 in analyzer::Analyzer::NextStream (this=0xe806450, len=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:245 > #10 0x00000000008619a6 in analyzer::Analyzer::ForwardStream (this=0xb172f20, len=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:331 > #11 0x00000000007efb49 in analyzer::tcp::TCP_Reassembler::DeliverBlock (this=this at entry=0x167805a0, seq=seq at entry=1, len=len at entry=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"...) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:650 > #12 0x00000000007efe79 in analyzer::tcp::TCP_Reassembler::BlockInserted (this=0x167805a0, start_block=) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:396 > #13 0x00000000007ef9cc in analyzer::tcp::TCP_Reassembler::DataSent (this=0x167805a0, t=, seq=, len=, len at entry=464, data=, > data at entry=0x7f9c1b006442 , replaying=replaying at entry=true) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:495 > #14 0x00000000007ee341 in analyzer::tcp::TCP_Endpoint::DataSent (this=this at entry=0x4bb1fb0, t=, seq=seq at entry=1, len=464, caplen=464, > data=0x7f9c1b006442 , ip=ip at entry=0x7fff4034c130, tp=tp at entry=0x7f9c1b006422) > at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Endpoint.cc:207 > #15 0x00000000007eba12 in DeliverData (flags=..., is_orig=, rel_data_seq=1, endpoint=0x4bb1fb0, tp=0x7f9c1b006422, ip=0x7fff4034c130, caplen=, len=, > data=, t=, this=0xb172f20) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:982 > #16 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0xb172f20, len=464, data=0x7f9c1b006442 , is_orig=, seq=, > ip=0x7fff4034c130, caplen=464) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:1382 > #17 0x00000000008610c2 in analyzer::Analyzer::NextPacket (this=0xb172f20, len=496, data=0x7f9c1b006422 , is_orig=, > seq=18446744073709551615, ip=0x7fff4034c130, caplen=496) at /usr/src/other/bro/src/analyzer/Analyzer.cc:222 > #18 0x000000000056979d in Connection::NextPacket (this=this at entry=0x11e52f40, t=t at entry=1439788398.623282, is_orig=is_orig at entry=1, ip=ip at entry=0x7fff4034c130, len=len at entry=496, > caplen=caplen at entry=496, data=@0x7fff4034bfa8: 0x7f9c1b006422 , record_packet=, record_content=, > pkt=, pkt at entry=0x251a870) at /usr/src/other/bro/src/Conn.cc:260 > #19 0x00000000006038a0 in NetSessions::DoNextPacket (this=this at entry=0x2a583c0, t=t at entry=1439788398.623282, pkt=pkt at entry=0x251a870, ip_hdr=ip_hdr at entry=0x7fff4034c130, > encapsulation=encapsulation at entry=0x0) at /usr/src/other/bro/src/Sessions.cc:735 > #20 0x0000000000604824 in NetSessions::NextPacket (this=0x2a583c0, t=t at entry=1439788398.623282, pkt=pkt at entry=0x251a870) at /usr/src/other/bro/src/Sessions.cc:207 > #21 0x00000000005d456f in net_packet_dispatch (t=1439788398.623282, pkt=pkt at entry=0x251a870, src_ps=src_ps at entry=0x251a840) at /usr/src/other/bro/src/Net.cc:273 > #22 0x0000000000834539 in iosource::PktSrc::Process (this=0x251a840) at /usr/src/other/bro/src/iosource/PktSrc.cc:265 > #23 0x00000000005d4a0f in net_run () at /usr/src/other/bro/src/Net.cc:321 > #24 0x00000000005346dc in main (argc=, argv=) at /usr/src/other/bro/src/main.cc:1191 -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Fri Aug 28 13:40:02 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 28 Aug 2015 15:40:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1459) bro segfaults at analyzer::mime::MIME_Entity::ParseFieldParameters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21807#comment-21807 ] Johanna Amann commented on BIT-1459: ------------------------------------ This should be fixed in topic/johanna/BIT-1459 > bro segfaults at analyzer::mime::MIME_Entity::ParseFieldParameters > ------------------------------------------------------------------- > > Key: BIT-1459 > URL: https://bro-tracker.atlassian.net/browse/BIT-1459 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: 2xXeon E5540, 64GB RAM, Linux 3.18.11, PF_RING 6.0.3 ZC (zbalance_ipc), bro cluster > Reporter: Alexander Zatserkovnyy > Assignee: Johanna Amann > Labels: mime > > bro worker segfaults occurred from time to time after upgrade to bro 2.4-78 . Looks like the problem rise in analyzer::mime::MIME_Entity::ParseFieldParameters (/usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126). A couple of core listings follows: > Core was generated by `/usr/local/bin/bro -i zc:99 at 2 -U .status -p broctl -p broctl-live -p local -p w'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x8aae540, len=16, len at entry=27, data=0x2447faec "(UploadBoundary)", data at entry=0x2447fae1 "; boundary=(UploadBoundary)") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > 126 static data_chunk_t get_data_chunk(BroString* s) > (gdb) backtrace > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x8aae540, len=16, len at entry=27, data=0x2447faec "(UploadBoundary)", data at entry=0x2447fae1 "; boundary=(UploadBoundary)") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > #1 0x0000000000769f7c in analyzer::mime::MIME_Entity::ParseContentTypeField (this=this at entry=0x8aae540, h=h at entry=0x521ddc0) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:799 > #2 0x000000000076a1d1 in analyzer::mime::MIME_Entity::ParseMIMEHeader (this=this at entry=0x8aae540, h=h at entry=0x521ddc0) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:763 > #3 0x000000000076b638 in analyzer::mime::MIME_Entity::FinishHeader (this=this at entry=0x8aae540) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:735 > #4 0x000000000076b821 in analyzer::mime::MIME_Entity::NewHeader (this=0x8aae540, len=13, data=0x1704a3c0 "Host: fegi.ru") at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:699 > #5 0x0000000000721490 in analyzer::http::HTTP_Analyzer::DeliverStream (this=0xbd9f080, len=13, data=0x1704a3c0 "Host: fegi.ru", is_orig=) > at /usr/src/other/bro/src/analyzer/protocol/http/HTTP.cc:1038 > #6 0x00000000007f0ded in analyzer::tcp::ContentLine_Analyzer::DoDeliverOnce (this=this at entry=0x14fbe090, len=, len at entry=84, data=, > data at entry=0xcd56528 "Host: fegi.ru\r\nContent-Length: 185\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n\r\n") at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:258 > #7 0x00000000007f0fbb in analyzer::tcp::ContentLine_Analyzer::DoDeliver (this=0x14fbe090, len=84, > data=0xcd56528 "Host: fegi.ru\r\nContent-Length: 185\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n\r\n") at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:200 > #8 0x00000000007f07b0 in analyzer::tcp::ContentLine_Analyzer::DeliverStream (this=0x14fbe090, len=, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:108 > #9 0x0000000000861216 in analyzer::Analyzer::NextStream (this=0x14fbe090, len=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:245 > #10 0x00000000008619a6 in analyzer::Analyzer::ForwardStream (this=0x14ea0000, len=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:331 > #11 0x00000000007efb49 in analyzer::tcp::TCP_Reassembler::DeliverBlock (this=this at entry=0xc6d7800, seq=seq at entry=1, len=len at entry=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"...) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:650 > #12 0x00000000007efe79 in analyzer::tcp::TCP_Reassembler::BlockInserted (this=0xc6d7800, start_block=) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:396 > #13 0x00000000007ef9cc in analyzer::tcp::TCP_Reassembler::DataSent (this=0xc6d7800, t=, seq=, len=, len at entry=444, data=, > data at entry=0x7f5b768985b6 , replaying=replaying at entry=true) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:495 > #14 0x00000000007ee341 in analyzer::tcp::TCP_Endpoint::DataSent (this=this at entry=0x710d620, t=, seq=seq at entry=1, len=444, caplen=444, > data=0x7f5b768985b6 , ip=ip at entry=0x7ffcb14c4f90, tp=tp at entry=0x7f5b768985a2) > at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Endpoint.cc:207 > #15 0x00000000007eba12 in DeliverData (flags=..., is_orig=, rel_data_seq=1, endpoint=0x710d620, tp=0x7f5b768985a2, ip=0x7ffcb14c4f90, caplen=, len=, > data=, t=, this=0x14ea0000) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:982 > #16 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0x14ea0000, len=444, data=0x7f5b768985b6 , is_orig=, seq=, > ip=0x7ffcb14c4f90, caplen=444) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:1382 > #17 0x00000000008610c2 in analyzer::Analyzer::NextPacket (this=0x14ea0000, len=464, data=0x7f5b768985a2 , is_orig=, > seq=18446744073709551615, ip=0x7ffcb14c4f90, caplen=464) at /usr/src/other/bro/src/analyzer/Analyzer.cc:222 > #18 0x000000000056979d in Connection::NextPacket (this=this at entry=0x1d1b6540, t=t at entry=1439902857.1053071, is_orig=is_orig at entry=1, ip=ip at entry=0x7ffcb14c4f90, len=len at entry=464, > caplen=caplen at entry=464, data=@0x7ffcb14c4e08: 0x7f5b768985a2 , record_packet=, record_content=, > pkt=, pkt at entry=0x2821530) at /usr/src/other/bro/src/Conn.cc:260 > #19 0x00000000006038a0 in NetSessions::DoNextPacket (this=this at entry=0x2d603c0, t=t at entry=1439902857.1053071, pkt=pkt at entry=0x2821530, ip_hdr=ip_hdr at entry=0x7ffcb14c4f90, > encapsulation=encapsulation at entry=0x0) at /usr/src/other/bro/src/Sessions.cc:735 > #20 0x0000000000604824 in NetSessions::NextPacket (this=0x2d603c0, t=t at entry=1439902857.1053071, pkt=pkt at entry=0x2821530) at /usr/src/other/bro/src/Sessions.cc:207 > #21 0x00000000005d456f in net_packet_dispatch (t=1439902857.1053071, pkt=pkt at entry=0x2821530, src_ps=src_ps at entry=0x2821500) at /usr/src/other/bro/src/Net.cc:273 > #22 0x0000000000834539 in iosource::PktSrc::Process (this=0x2821500) at /usr/src/other/bro/src/iosource/PktSrc.cc:265 > #23 0x00000000005d4a0f in net_run () at /usr/src/other/bro/src/Net.cc:321 > #24 0x00000000005346dc in main (argc=, argv=) at /usr/src/other/bro/src/main.cc:1191 > --------------------------------------------------------------------------------------------------------------------- > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x16141d40, len=0, len at entry=11, data=0x1c0d0e9c "", data at entry=0x1c0d0e91 "; boundary=") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > #1 0x0000000000769f7c in analyzer::mime::MIME_Entity::ParseContentTypeField (this=this at entry=0x16141d40, h=h at entry=0x1a46c740) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:799 > #2 0x000000000076a1d1 in analyzer::mime::MIME_Entity::ParseMIMEHeader (this=this at entry=0x16141d40, h=h at entry=0x1a46c740) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:763 > #3 0x000000000076b638 in analyzer::mime::MIME_Entity::FinishHeader (this=this at entry=0x16141d40) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:735 > #4 0x000000000076b821 in analyzer::mime::MIME_Entity::NewHeader (this=0x16141d40, len=175, > data=0xd0dee00 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:699 > #5 0x0000000000721490 in analyzer::http::HTTP_Analyzer::DeliverStream (this=0xe7c4080, len=175, > data=0xd0dee00 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36", > is_orig=) at /usr/src/other/bro/src/analyzer/protocol/http/HTTP.cc:1038 > #6 0x00000000007f0ded in analyzer::tcp::ContentLine_Analyzer::DoDeliverOnce (this=this at entry=0xe806450, len=, len at entry=265, data=, > data at entry=0x21c2647 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36\r\nAccept-Encoding: gzip, "...) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:258 > #7 0x00000000007f0fbb in analyzer::tcp::ContentLine_Analyzer::DoDeliver (this=0xe806450, len=265, > data=0x21c2647 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36\r\nAccept-Encoding: gzip, "...) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:200 > #8 0x00000000007f07b0 in analyzer::tcp::ContentLine_Analyzer::DeliverStream (this=0xe806450, len=, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:108 > #9 0x0000000000861216 in analyzer::Analyzer::NextStream (this=0xe806450, len=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:245 > #10 0x00000000008619a6 in analyzer::Analyzer::ForwardStream (this=0xb172f20, len=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:331 > #11 0x00000000007efb49 in analyzer::tcp::TCP_Reassembler::DeliverBlock (this=this at entry=0x167805a0, seq=seq at entry=1, len=len at entry=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"...) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:650 > #12 0x00000000007efe79 in analyzer::tcp::TCP_Reassembler::BlockInserted (this=0x167805a0, start_block=) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:396 > #13 0x00000000007ef9cc in analyzer::tcp::TCP_Reassembler::DataSent (this=0x167805a0, t=, seq=, len=, len at entry=464, data=, > data at entry=0x7f9c1b006442 , replaying=replaying at entry=true) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:495 > #14 0x00000000007ee341 in analyzer::tcp::TCP_Endpoint::DataSent (this=this at entry=0x4bb1fb0, t=, seq=seq at entry=1, len=464, caplen=464, > data=0x7f9c1b006442 , ip=ip at entry=0x7fff4034c130, tp=tp at entry=0x7f9c1b006422) > at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Endpoint.cc:207 > #15 0x00000000007eba12 in DeliverData (flags=..., is_orig=, rel_data_seq=1, endpoint=0x4bb1fb0, tp=0x7f9c1b006422, ip=0x7fff4034c130, caplen=, len=, > data=, t=, this=0xb172f20) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:982 > #16 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0xb172f20, len=464, data=0x7f9c1b006442 , is_orig=, seq=, > ip=0x7fff4034c130, caplen=464) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:1382 > #17 0x00000000008610c2 in analyzer::Analyzer::NextPacket (this=0xb172f20, len=496, data=0x7f9c1b006422 , is_orig=, > seq=18446744073709551615, ip=0x7fff4034c130, caplen=496) at /usr/src/other/bro/src/analyzer/Analyzer.cc:222 > #18 0x000000000056979d in Connection::NextPacket (this=this at entry=0x11e52f40, t=t at entry=1439788398.623282, is_orig=is_orig at entry=1, ip=ip at entry=0x7fff4034c130, len=len at entry=496, > caplen=caplen at entry=496, data=@0x7fff4034bfa8: 0x7f9c1b006422 , record_packet=, record_content=, > pkt=, pkt at entry=0x251a870) at /usr/src/other/bro/src/Conn.cc:260 > #19 0x00000000006038a0 in NetSessions::DoNextPacket (this=this at entry=0x2a583c0, t=t at entry=1439788398.623282, pkt=pkt at entry=0x251a870, ip_hdr=ip_hdr at entry=0x7fff4034c130, > encapsulation=encapsulation at entry=0x0) at /usr/src/other/bro/src/Sessions.cc:735 > #20 0x0000000000604824 in NetSessions::NextPacket (this=0x2a583c0, t=t at entry=1439788398.623282, pkt=pkt at entry=0x251a870) at /usr/src/other/bro/src/Sessions.cc:207 > #21 0x00000000005d456f in net_packet_dispatch (t=1439788398.623282, pkt=pkt at entry=0x251a870, src_ps=src_ps at entry=0x251a840) at /usr/src/other/bro/src/Net.cc:273 > #22 0x0000000000834539 in iosource::PktSrc::Process (this=0x251a840) at /usr/src/other/bro/src/iosource/PktSrc.cc:265 > #23 0x00000000005d4a0f in net_run () at /usr/src/other/bro/src/Net.cc:321 > #24 0x00000000005346dc in main (argc=, argv=) at /usr/src/other/bro/src/main.cc:1191 -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Fri Aug 28 13:40:02 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 28 Aug 2015 15:40:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1459) bro segfaults at analyzer::mime::MIME_Entity::ParseFieldParameters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1459?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1459: ------------------------------- Status: Merge Request (was: Open) Assignee: (was: Johanna Amann) > bro segfaults at analyzer::mime::MIME_Entity::ParseFieldParameters > ------------------------------------------------------------------- > > Key: BIT-1459 > URL: https://bro-tracker.atlassian.net/browse/BIT-1459 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: 2xXeon E5540, 64GB RAM, Linux 3.18.11, PF_RING 6.0.3 ZC (zbalance_ipc), bro cluster > Reporter: Alexander Zatserkovnyy > Labels: mime > > bro worker segfaults occurred from time to time after upgrade to bro 2.4-78 . Looks like the problem rise in analyzer::mime::MIME_Entity::ParseFieldParameters (/usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126). A couple of core listings follows: > Core was generated by `/usr/local/bin/bro -i zc:99 at 2 -U .status -p broctl -p broctl-live -p local -p w'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x8aae540, len=16, len at entry=27, data=0x2447faec "(UploadBoundary)", data at entry=0x2447fae1 "; boundary=(UploadBoundary)") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > 126 static data_chunk_t get_data_chunk(BroString* s) > (gdb) backtrace > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x8aae540, len=16, len at entry=27, data=0x2447faec "(UploadBoundary)", data at entry=0x2447fae1 "; boundary=(UploadBoundary)") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > #1 0x0000000000769f7c in analyzer::mime::MIME_Entity::ParseContentTypeField (this=this at entry=0x8aae540, h=h at entry=0x521ddc0) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:799 > #2 0x000000000076a1d1 in analyzer::mime::MIME_Entity::ParseMIMEHeader (this=this at entry=0x8aae540, h=h at entry=0x521ddc0) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:763 > #3 0x000000000076b638 in analyzer::mime::MIME_Entity::FinishHeader (this=this at entry=0x8aae540) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:735 > #4 0x000000000076b821 in analyzer::mime::MIME_Entity::NewHeader (this=0x8aae540, len=13, data=0x1704a3c0 "Host: fegi.ru") at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:699 > #5 0x0000000000721490 in analyzer::http::HTTP_Analyzer::DeliverStream (this=0xbd9f080, len=13, data=0x1704a3c0 "Host: fegi.ru", is_orig=) > at /usr/src/other/bro/src/analyzer/protocol/http/HTTP.cc:1038 > #6 0x00000000007f0ded in analyzer::tcp::ContentLine_Analyzer::DoDeliverOnce (this=this at entry=0x14fbe090, len=, len at entry=84, data=, > data at entry=0xcd56528 "Host: fegi.ru\r\nContent-Length: 185\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n\r\n") at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:258 > #7 0x00000000007f0fbb in analyzer::tcp::ContentLine_Analyzer::DoDeliver (this=0x14fbe090, len=84, > data=0xcd56528 "Host: fegi.ru\r\nContent-Length: 185\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n\r\n") at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:200 > #8 0x00000000007f07b0 in analyzer::tcp::ContentLine_Analyzer::DeliverStream (this=0x14fbe090, len=, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:108 > #9 0x0000000000861216 in analyzer::Analyzer::NextStream (this=0x14fbe090, len=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:245 > #10 0x00000000008619a6 in analyzer::Analyzer::ForwardStream (this=0x14ea0000, len=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:331 > #11 0x00000000007efb49 in analyzer::tcp::TCP_Reassembler::DeliverBlock (this=this at entry=0xc6d7800, seq=seq at entry=1, len=len at entry=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"...) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:650 > #12 0x00000000007efe79 in analyzer::tcp::TCP_Reassembler::BlockInserted (this=0xc6d7800, start_block=) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:396 > #13 0x00000000007ef9cc in analyzer::tcp::TCP_Reassembler::DataSent (this=0xc6d7800, t=, seq=, len=, len at entry=444, data=, > data at entry=0x7f5b768985b6 , replaying=replaying at entry=true) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:495 > #14 0x00000000007ee341 in analyzer::tcp::TCP_Endpoint::DataSent (this=this at entry=0x710d620, t=, seq=seq at entry=1, len=444, caplen=444, > data=0x7f5b768985b6 , ip=ip at entry=0x7ffcb14c4f90, tp=tp at entry=0x7f5b768985a2) > at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Endpoint.cc:207 > #15 0x00000000007eba12 in DeliverData (flags=..., is_orig=, rel_data_seq=1, endpoint=0x710d620, tp=0x7f5b768985a2, ip=0x7ffcb14c4f90, caplen=, len=, > data=, t=, this=0x14ea0000) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:982 > #16 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0x14ea0000, len=444, data=0x7f5b768985b6 , is_orig=, seq=, > ip=0x7ffcb14c4f90, caplen=444) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:1382 > #17 0x00000000008610c2 in analyzer::Analyzer::NextPacket (this=0x14ea0000, len=464, data=0x7f5b768985a2 , is_orig=, > seq=18446744073709551615, ip=0x7ffcb14c4f90, caplen=464) at /usr/src/other/bro/src/analyzer/Analyzer.cc:222 > #18 0x000000000056979d in Connection::NextPacket (this=this at entry=0x1d1b6540, t=t at entry=1439902857.1053071, is_orig=is_orig at entry=1, ip=ip at entry=0x7ffcb14c4f90, len=len at entry=464, > caplen=caplen at entry=464, data=@0x7ffcb14c4e08: 0x7f5b768985a2 , record_packet=, record_content=, > pkt=, pkt at entry=0x2821530) at /usr/src/other/bro/src/Conn.cc:260 > #19 0x00000000006038a0 in NetSessions::DoNextPacket (this=this at entry=0x2d603c0, t=t at entry=1439902857.1053071, pkt=pkt at entry=0x2821530, ip_hdr=ip_hdr at entry=0x7ffcb14c4f90, > encapsulation=encapsulation at entry=0x0) at /usr/src/other/bro/src/Sessions.cc:735 > #20 0x0000000000604824 in NetSessions::NextPacket (this=0x2d603c0, t=t at entry=1439902857.1053071, pkt=pkt at entry=0x2821530) at /usr/src/other/bro/src/Sessions.cc:207 > #21 0x00000000005d456f in net_packet_dispatch (t=1439902857.1053071, pkt=pkt at entry=0x2821530, src_ps=src_ps at entry=0x2821500) at /usr/src/other/bro/src/Net.cc:273 > #22 0x0000000000834539 in iosource::PktSrc::Process (this=0x2821500) at /usr/src/other/bro/src/iosource/PktSrc.cc:265 > #23 0x00000000005d4a0f in net_run () at /usr/src/other/bro/src/Net.cc:321 > #24 0x00000000005346dc in main (argc=, argv=) at /usr/src/other/bro/src/main.cc:1191 > --------------------------------------------------------------------------------------------------------------------- > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x16141d40, len=0, len at entry=11, data=0x1c0d0e9c "", data at entry=0x1c0d0e91 "; boundary=") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > #1 0x0000000000769f7c in analyzer::mime::MIME_Entity::ParseContentTypeField (this=this at entry=0x16141d40, h=h at entry=0x1a46c740) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:799 > #2 0x000000000076a1d1 in analyzer::mime::MIME_Entity::ParseMIMEHeader (this=this at entry=0x16141d40, h=h at entry=0x1a46c740) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:763 > #3 0x000000000076b638 in analyzer::mime::MIME_Entity::FinishHeader (this=this at entry=0x16141d40) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:735 > #4 0x000000000076b821 in analyzer::mime::MIME_Entity::NewHeader (this=0x16141d40, len=175, > data=0xd0dee00 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:699 > #5 0x0000000000721490 in analyzer::http::HTTP_Analyzer::DeliverStream (this=0xe7c4080, len=175, > data=0xd0dee00 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36", > is_orig=) at /usr/src/other/bro/src/analyzer/protocol/http/HTTP.cc:1038 > #6 0x00000000007f0ded in analyzer::tcp::ContentLine_Analyzer::DoDeliverOnce (this=this at entry=0xe806450, len=, len at entry=265, data=, > data at entry=0x21c2647 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36\r\nAccept-Encoding: gzip, "...) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:258 > #7 0x00000000007f0fbb in analyzer::tcp::ContentLine_Analyzer::DoDeliver (this=0xe806450, len=265, > data=0x21c2647 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36\r\nAccept-Encoding: gzip, "...) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:200 > #8 0x00000000007f07b0 in analyzer::tcp::ContentLine_Analyzer::DeliverStream (this=0xe806450, len=, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:108 > #9 0x0000000000861216 in analyzer::Analyzer::NextStream (this=0xe806450, len=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:245 > #10 0x00000000008619a6 in analyzer::Analyzer::ForwardStream (this=0xb172f20, len=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:331 > #11 0x00000000007efb49 in analyzer::tcp::TCP_Reassembler::DeliverBlock (this=this at entry=0x167805a0, seq=seq at entry=1, len=len at entry=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"...) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:650 > #12 0x00000000007efe79 in analyzer::tcp::TCP_Reassembler::BlockInserted (this=0x167805a0, start_block=) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:396 > #13 0x00000000007ef9cc in analyzer::tcp::TCP_Reassembler::DataSent (this=0x167805a0, t=, seq=, len=, len at entry=464, data=, > data at entry=0x7f9c1b006442 , replaying=replaying at entry=true) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:495 > #14 0x00000000007ee341 in analyzer::tcp::TCP_Endpoint::DataSent (this=this at entry=0x4bb1fb0, t=, seq=seq at entry=1, len=464, caplen=464, > data=0x7f9c1b006442 , ip=ip at entry=0x7fff4034c130, tp=tp at entry=0x7f9c1b006422) > at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Endpoint.cc:207 > #15 0x00000000007eba12 in DeliverData (flags=..., is_orig=, rel_data_seq=1, endpoint=0x4bb1fb0, tp=0x7f9c1b006422, ip=0x7fff4034c130, caplen=, len=, > data=, t=, this=0xb172f20) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:982 > #16 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0xb172f20, len=464, data=0x7f9c1b006442 , is_orig=, seq=, > ip=0x7fff4034c130, caplen=464) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:1382 > #17 0x00000000008610c2 in analyzer::Analyzer::NextPacket (this=0xb172f20, len=496, data=0x7f9c1b006422 , is_orig=, > seq=18446744073709551615, ip=0x7fff4034c130, caplen=496) at /usr/src/other/bro/src/analyzer/Analyzer.cc:222 > #18 0x000000000056979d in Connection::NextPacket (this=this at entry=0x11e52f40, t=t at entry=1439788398.623282, is_orig=is_orig at entry=1, ip=ip at entry=0x7fff4034c130, len=len at entry=496, > caplen=caplen at entry=496, data=@0x7fff4034bfa8: 0x7f9c1b006422 , record_packet=, record_content=, > pkt=, pkt at entry=0x251a870) at /usr/src/other/bro/src/Conn.cc:260 > #19 0x00000000006038a0 in NetSessions::DoNextPacket (this=this at entry=0x2a583c0, t=t at entry=1439788398.623282, pkt=pkt at entry=0x251a870, ip_hdr=ip_hdr at entry=0x7fff4034c130, > encapsulation=encapsulation at entry=0x0) at /usr/src/other/bro/src/Sessions.cc:735 > #20 0x0000000000604824 in NetSessions::NextPacket (this=0x2a583c0, t=t at entry=1439788398.623282, pkt=pkt at entry=0x251a870) at /usr/src/other/bro/src/Sessions.cc:207 > #21 0x00000000005d456f in net_packet_dispatch (t=1439788398.623282, pkt=pkt at entry=0x251a870, src_ps=src_ps at entry=0x251a840) at /usr/src/other/bro/src/Net.cc:273 > #22 0x0000000000834539 in iosource::PktSrc::Process (this=0x251a840) at /usr/src/other/bro/src/iosource/PktSrc.cc:265 > #23 0x00000000005d4a0f in net_run () at /usr/src/other/bro/src/Net.cc:321 > #24 0x00000000005346dc in main (argc=, argv=) at /usr/src/other/bro/src/main.cc:1191 -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Fri Aug 28 17:24:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 28 Aug 2015 19:24:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1464) heap overflow in build_syn_packet_val In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21808#comment-21808 ] Johanna Amann commented on BIT-1464: ------------------------------------ Could you please verify this one again? I cannot reproduce it with the attached trace. I compiled Bro with -fsanitize=address for c,cpp and ldflags. Compiler is {code} caddy:~/asn1 $ clang --version clang version 3.5.2 Target: x86_64-unknown-linux-gnu Thread model: posix {code} Full output when run is: {code} $ bro -r build_syn_packet_val_bug.pcap 1370797808.455532 warning in /home/johanna/bro/install-master/share/bro/base/misc/find-filtered-trace.bro, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired. {code} I also took a look at the code and did not really get far - the line it points to (52 in tcp.cc) seems to be right after a check that checks that enough data is present in the header. > heap overflow in build_syn_packet_val > ------------------------------------- > > Key: BIT-1464 > URL: https://bro-tracker.atlassian.net/browse/BIT-1464 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: build_syn_packet_val_bug.pcap > > > {code} > # bro -r build_syn_packet_val_bug.pcap > ================================================================= > ==15198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000e45266 at pc 0x000000cd6731 bp 0x7fff061fe1b0 sp 0x7fff061fe1a8 > READ of size 1 at 0x607000e45266 thread T0 > #0 0xcd6730 in build_syn_packet_val(int, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:52:3 > #1 0xcd6730 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1274 > #2 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #3 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #4 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #5 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #6 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #7 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #8 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #9 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #10 0x7f204146cb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #11 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Fri Aug 28 20:16:01 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Fri, 28 Aug 2015 22:16:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1464) heap overflow in build_syn_packet_val In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21809#comment-21809 ] Justin Azoff commented on BIT-1464: ----------------------------------- Yeah, still get the same backtrace here. I think the problem is that bro is casting a buffer that is too small to a tcphdr. The 2nd packet in the pcap only has a length of 60 instead of the minimum length of 64 for a tcp packet. I don't think you can route such a packet over the internet at least :-) > heap overflow in build_syn_packet_val > ------------------------------------- > > Key: BIT-1464 > URL: https://bro-tracker.atlassian.net/browse/BIT-1464 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: build_syn_packet_val_bug.pcap > > > {code} > # bro -r build_syn_packet_val_bug.pcap > ================================================================= > ==15198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000e45266 at pc 0x000000cd6731 bp 0x7fff061fe1b0 sp 0x7fff061fe1a8 > READ of size 1 at 0x607000e45266 thread T0 > #0 0xcd6730 in build_syn_packet_val(int, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:52:3 > #1 0xcd6730 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1274 > #2 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #3 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #4 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #5 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #6 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #7 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #8 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #9 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #10 0x7f204146cb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #11 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Fri Aug 28 20:30:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 28 Aug 2015 22:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1467: ---------------------------------- Assignee: (was: Daniel Thayer) > several tests are broken in scripts/policy/protocols/ssl > -------------------------------------------------------- > > Key: BIT-1467 > URL: https://bro-tracker.atlassian.net/browse/BIT-1467 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Fix For: 2.5 > > > Due to recent bug fixes in the btest repo (see BIT-1455), it was > discovered that several tests in the bro repo now fail due to problems > with their canonifier. -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Fri Aug 28 20:30:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 28 Aug 2015 22:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21810#comment-21810 ] Daniel Thayer commented on BIT-1467: ------------------------------------ Branch topic/dnthayer/ticket1467 in the bro repo contains fixes for some test canonifiers. > several tests are broken in scripts/policy/protocols/ssl > -------------------------------------------------------- > > Key: BIT-1467 > URL: https://bro-tracker.atlassian.net/browse/BIT-1467 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.5 > > > Due to recent bug fixes in the btest repo (see BIT-1455), it was > discovered that several tests in the bro repo now fail due to problems > with their canonifier. -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From noreply at bro.org Sat Aug 29 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 29 Aug 2015 00:00:23 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508290700.t7T70NPv010222@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------------------- ---------- ---------- ------------- ---------- ------------------------------------------------------------------- BIT-1465 [1] Bro Justin Azoff - 2015-08-28 - Normal heap overflow in GetTimeFromAsn1 BIT-1459 [2] Bro Alexander Zatserkovnyy - 2015-08-28 - Normal bro segfaults at analyzer::mime::MIME_Entity::ParseFieldParameters Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- --------------------------------------------------- #42 [3] bro J-Gras [4] 2015-08-24 Improved logging of Base64 errors [5] #40 [6] bro knielander [7] 2015-08-24 Enable linux fanout mode with Bro [8] #6 [9] bro-plugins jswaro [10] 2015-08-24 Adding initial conversion of TCPRS to a plugin [11] [1] BIT-1465 https://bro-tracker.atlassian.net/browse/BIT-1465 [2] BIT-1459 https://bro-tracker.atlassian.net/browse/BIT-1459 [3] Pull Request #42 https://github.com/bro/bro/pull/42 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [6] Pull Request #40 https://github.com/bro/bro/pull/40 [7] knielander https://github.com/knielander [8] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [9] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [10] jswaro https://github.com/jswaro [11] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From jira at bro-tracker.atlassian.net Sat Aug 29 10:59:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Sat, 29 Aug 2015 12:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1462) heap overflow in ARP_Analyzer::IsARP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1462: --------------------------------- Assignee: Robin Sommer > heap overflow in ARP_Analyzer::IsARP > ------------------------------------ > > Key: BIT-1462 > URL: https://bro-tracker.atlassian.net/browse/BIT-1462 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Robin Sommer > Attachments: arp_bug.pcap > > > {code} > # bro -r arp_bug.pcap > ================================================================= > ==8775==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310008c07fe at pc 0x00000099a56e bp 0x7fffd1826e60 sp 0x7fffd1826e58 > READ of size 2 at 0x6310008c07fe thread T0 > #0 0x99a56d in analyzer::arp::ARP_Analyzer::IsARP(unsigned char const*, int) /scratch/bro-clean/src/analyzer/protocol/arp/ARP.cc:24:2 > #1 0x855781 in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:246:12 > #2 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #3 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #4 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #5 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #6 0x7fc0ba545b44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #7 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Sat Aug 29 11:38:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Sat, 29 Aug 2015 13:38:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1465) heap overflow in GetTimeFromAsn1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1465: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > heap overflow in GetTimeFromAsn1 > -------------------------------- > > Key: BIT-1465 > URL: https://bro-tracker.atlassian.net/browse/BIT-1465 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: gettimefromasn_bug.pcap > > > This pcap requires -C > {code} > # bro -C -r gettimefromasn_bug.pcap > ================================================================= > ==18126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001c0001 at pc 0x000000d1cd37 bp 0x7fffe6f622f0 sp 0x7fffe6f622e8 > READ of size 1 at 0x6020001c0001 thread T0 > #0 0xd1cd36 in file_analysis::X509::GetTimeFromAsn1(asn1_string_st const*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:578:7 > #1 0xd1b632 in file_analysis::X509::ParseCertificate(file_analysis::X509Val*) /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:134:31 > #2 0xd1a93c in file_analysis::X509::EndOfFile() /scratch/bro-clean/src/file_analysis/analyzer/x509/X509.cc:55:27 > #3 0xdd5513 in file_analysis::File::EndOfFile() /scratch/bro-clean/src/file_analysis/File.cc:522:10 > #4 0xdc83e3 in file_analysis::Manager::RemoveFile(std::__cxx11::basic_string, std::allocator > const&) /scratch/bro-clean/src/file_analysis/Manager.cc:395:2 > #5 0xbf3287 in binpac::RDP::RDP_Flow::proc_x509_cert_data(binpac::RDP::X509_Cert_Data*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3667:3 > #6 0xbf288e in binpac::RDP::X509_Cert_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3390:10 > #7 0xbf15bc in binpac::RDP::X509::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3316:25 > #8 0xbefefc in binpac::RDP::Server_Certificate::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3022:19 > #9 0xbe897b in binpac::RDP::Server_Security_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2935:2 > #10 0xbe664a in binpac::RDP::Data_Block::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1176:30 > #11 0xbe57c4 in binpac::RDP::Server_Header::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:2513:31 > #12 0xbe38a8 in binpac::RDP::DT_Data::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:1010:21 > #13 0xbe16c7 in binpac::RDP::COTP::Parse(unsigned char const*, unsigned char const*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:899:19 > #14 0xbe10cd in binpac::RDP::TPKT::ParseBuffer(binpac::FlowBuffer*, binpac::RDP::ContextRDP*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:787:20 > #15 0xbf3d4b in binpac::RDP::RDP_Flow::NewData(unsigned char const*, unsigned char const*) /scratch/bro-clean/build/src/analyzer/protocol/rdp/rdp_pac.cc:3436:35 > #16 0xbd9b33 in analyzer::rdp::RDP_Analyzer::DeliverStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/rdp/RDP.cc:80:4 > #17 0xe2506c in analyzer::Analyzer::NextStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:245:4 > #18 0xe26530 in analyzer::Analyzer::ForwardStream(int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/Analyzer.cc:331:4 > #19 0xce012d in analyzer::tcp::TCP_Reassembler::DeliverBlock(unsigned long, int, unsigned char const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:647:2 > #20 0xcdfb77 in analyzer::tcp::TCP_Reassembler::BlockInserted(DataBlock*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:393:4 > #21 0xce0a4a in analyzer::tcp::TCP_Reassembler::DataSent(double, unsigned long, int, unsigned char const*, bool) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Reassembler.cc:492:2 > #22 0xcdc26d in analyzer::tcp::TCP_Endpoint::DataSent(double, unsigned long, int, int, unsigned char const*, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP_Endpoint.cc:205:12 > #23 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverData(double, unsigned char const*, int, int, IP_Hdr const*, tcphdr const*, analyzer::tcp::TCP_Endpoint*, unsigned long, int, analyzer::tcp::TCP_Flags) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:982:9 > #24 0xcd6210 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1381 > #25 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #26 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #27 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #28 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #29 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #30 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #31 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #32 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #33 0x7f3b3edbdb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #34 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From jira at bro-tracker.atlassian.net Sat Aug 29 11:38:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Sat, 29 Aug 2015 13:38:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1459) bro segfaults at analyzer::mime::MIME_Entity::ParseFieldParameters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1459?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1459: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > bro segfaults at analyzer::mime::MIME_Entity::ParseFieldParameters > ------------------------------------------------------------------- > > Key: BIT-1459 > URL: https://bro-tracker.atlassian.net/browse/BIT-1459 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: 2xXeon E5540, 64GB RAM, Linux 3.18.11, PF_RING 6.0.3 ZC (zbalance_ipc), bro cluster > Reporter: Alexander Zatserkovnyy > Labels: mime > > bro worker segfaults occurred from time to time after upgrade to bro 2.4-78 . Looks like the problem rise in analyzer::mime::MIME_Entity::ParseFieldParameters (/usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126). A couple of core listings follows: > Core was generated by `/usr/local/bin/bro -i zc:99 at 2 -U .status -p broctl -p broctl-live -p local -p w'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x8aae540, len=16, len at entry=27, data=0x2447faec "(UploadBoundary)", data at entry=0x2447fae1 "; boundary=(UploadBoundary)") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > 126 static data_chunk_t get_data_chunk(BroString* s) > (gdb) backtrace > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x8aae540, len=16, len at entry=27, data=0x2447faec "(UploadBoundary)", data at entry=0x2447fae1 "; boundary=(UploadBoundary)") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > #1 0x0000000000769f7c in analyzer::mime::MIME_Entity::ParseContentTypeField (this=this at entry=0x8aae540, h=h at entry=0x521ddc0) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:799 > #2 0x000000000076a1d1 in analyzer::mime::MIME_Entity::ParseMIMEHeader (this=this at entry=0x8aae540, h=h at entry=0x521ddc0) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:763 > #3 0x000000000076b638 in analyzer::mime::MIME_Entity::FinishHeader (this=this at entry=0x8aae540) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:735 > #4 0x000000000076b821 in analyzer::mime::MIME_Entity::NewHeader (this=0x8aae540, len=13, data=0x1704a3c0 "Host: fegi.ru") at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:699 > #5 0x0000000000721490 in analyzer::http::HTTP_Analyzer::DeliverStream (this=0xbd9f080, len=13, data=0x1704a3c0 "Host: fegi.ru", is_orig=) > at /usr/src/other/bro/src/analyzer/protocol/http/HTTP.cc:1038 > #6 0x00000000007f0ded in analyzer::tcp::ContentLine_Analyzer::DoDeliverOnce (this=this at entry=0x14fbe090, len=, len at entry=84, data=, > data at entry=0xcd56528 "Host: fegi.ru\r\nContent-Length: 185\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n\r\n") at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:258 > #7 0x00000000007f0fbb in analyzer::tcp::ContentLine_Analyzer::DoDeliver (this=0x14fbe090, len=84, > data=0xcd56528 "Host: fegi.ru\r\nContent-Length: 185\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n\r\n") at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:200 > #8 0x00000000007f07b0 in analyzer::tcp::ContentLine_Analyzer::DeliverStream (this=0x14fbe090, len=, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:108 > #9 0x0000000000861216 in analyzer::Analyzer::NextStream (this=0x14fbe090, len=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:245 > #10 0x00000000008619a6 in analyzer::Analyzer::ForwardStream (this=0x14ea0000, len=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:331 > #11 0x00000000007efb49 in analyzer::tcp::TCP_Reassembler::DeliverBlock (this=this at entry=0xc6d7800, seq=seq at entry=1, len=len at entry=444, > data=0xcd563c0 "POST /wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-content/uploads/ HTTP/1.1\r\nReferer: http://fegi.ru/wp-content/themes/ProjectTheme/lib/upload_main/upload.php?folder=/wp-conte"...) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:650 > #12 0x00000000007efe79 in analyzer::tcp::TCP_Reassembler::BlockInserted (this=0xc6d7800, start_block=) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:396 > #13 0x00000000007ef9cc in analyzer::tcp::TCP_Reassembler::DataSent (this=0xc6d7800, t=, seq=, len=, len at entry=444, data=, > data at entry=0x7f5b768985b6 , replaying=replaying at entry=true) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:495 > #14 0x00000000007ee341 in analyzer::tcp::TCP_Endpoint::DataSent (this=this at entry=0x710d620, t=, seq=seq at entry=1, len=444, caplen=444, > data=0x7f5b768985b6 , ip=ip at entry=0x7ffcb14c4f90, tp=tp at entry=0x7f5b768985a2) > at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Endpoint.cc:207 > #15 0x00000000007eba12 in DeliverData (flags=..., is_orig=, rel_data_seq=1, endpoint=0x710d620, tp=0x7f5b768985a2, ip=0x7ffcb14c4f90, caplen=, len=, > data=, t=, this=0x14ea0000) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:982 > #16 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0x14ea0000, len=444, data=0x7f5b768985b6 , is_orig=, seq=, > ip=0x7ffcb14c4f90, caplen=444) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:1382 > #17 0x00000000008610c2 in analyzer::Analyzer::NextPacket (this=0x14ea0000, len=464, data=0x7f5b768985a2 , is_orig=, > seq=18446744073709551615, ip=0x7ffcb14c4f90, caplen=464) at /usr/src/other/bro/src/analyzer/Analyzer.cc:222 > #18 0x000000000056979d in Connection::NextPacket (this=this at entry=0x1d1b6540, t=t at entry=1439902857.1053071, is_orig=is_orig at entry=1, ip=ip at entry=0x7ffcb14c4f90, len=len at entry=464, > caplen=caplen at entry=464, data=@0x7ffcb14c4e08: 0x7f5b768985a2 , record_packet=, record_content=, > pkt=, pkt at entry=0x2821530) at /usr/src/other/bro/src/Conn.cc:260 > #19 0x00000000006038a0 in NetSessions::DoNextPacket (this=this at entry=0x2d603c0, t=t at entry=1439902857.1053071, pkt=pkt at entry=0x2821530, ip_hdr=ip_hdr at entry=0x7ffcb14c4f90, > encapsulation=encapsulation at entry=0x0) at /usr/src/other/bro/src/Sessions.cc:735 > #20 0x0000000000604824 in NetSessions::NextPacket (this=0x2d603c0, t=t at entry=1439902857.1053071, pkt=pkt at entry=0x2821530) at /usr/src/other/bro/src/Sessions.cc:207 > #21 0x00000000005d456f in net_packet_dispatch (t=1439902857.1053071, pkt=pkt at entry=0x2821530, src_ps=src_ps at entry=0x2821500) at /usr/src/other/bro/src/Net.cc:273 > #22 0x0000000000834539 in iosource::PktSrc::Process (this=0x2821500) at /usr/src/other/bro/src/iosource/PktSrc.cc:265 > #23 0x00000000005d4a0f in net_run () at /usr/src/other/bro/src/Net.cc:321 > #24 0x00000000005346dc in main (argc=, argv=) at /usr/src/other/bro/src/main.cc:1191 > --------------------------------------------------------------------------------------------------------------------- > #0 analyzer::mime::MIME_Entity::ParseFieldParameters (this=this at entry=0x16141d40, len=0, len at entry=11, data=0x1c0d0e9c "", data at entry=0x1c0d0e91 "; boundary=") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:126 > #1 0x0000000000769f7c in analyzer::mime::MIME_Entity::ParseContentTypeField (this=this at entry=0x16141d40, h=h at entry=0x1a46c740) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:799 > #2 0x000000000076a1d1 in analyzer::mime::MIME_Entity::ParseMIMEHeader (this=this at entry=0x16141d40, h=h at entry=0x1a46c740) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:763 > #3 0x000000000076b638 in analyzer::mime::MIME_Entity::FinishHeader (this=this at entry=0x16141d40) at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:735 > #4 0x000000000076b821 in analyzer::mime::MIME_Entity::NewHeader (this=0x16141d40, len=175, > data=0xd0dee00 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36") > at /usr/src/other/bro/src/analyzer/protocol/mime/MIME.cc:699 > #5 0x0000000000721490 in analyzer::http::HTTP_Analyzer::DeliverStream (this=0xe7c4080, len=175, > data=0xd0dee00 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36", > is_orig=) at /usr/src/other/bro/src/analyzer/protocol/http/HTTP.cc:1038 > #6 0x00000000007f0ded in analyzer::tcp::ContentLine_Analyzer::DoDeliverOnce (this=this at entry=0xe806450, len=, len at entry=265, data=, > data at entry=0x21c2647 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36\r\nAccept-Encoding: gzip, "...) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:258 > #7 0x00000000007f0fbb in analyzer::tcp::ContentLine_Analyzer::DoDeliver (this=0xe806450, len=265, > data=0x21c2647 "User-Agent: Mozilla/5.0 (Linux; Android 4.1.2; s4507 Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 YaBrowser/15.4.2272.3842.00 Mobile Safari/537.36\r\nAccept-Encoding: gzip, "...) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:200 > #8 0x00000000007f07b0 in analyzer::tcp::ContentLine_Analyzer::DeliverStream (this=0xe806450, len=, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/protocol/tcp/ContentLine.cc:108 > #9 0x0000000000861216 in analyzer::Analyzer::NextStream (this=0xe806450, len=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:245 > #10 0x00000000008619a6 in analyzer::Analyzer::ForwardStream (this=0xb172f20, len=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"..., is_orig=) at /usr/src/other/bro/src/analyzer/Analyzer.cc:331 > #11 0x00000000007efb49 in analyzer::tcp::TCP_Reassembler::DeliverBlock (this=this at entry=0x167805a0, seq=seq at entry=1, len=len at entry=464, > data=0x21c2580 "POST /submit HTTP/1.1\r\nHost: crash-reports.browser.yandex.net\r\nConnection: keep-alive\r\nContent-Length: 32768\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data; boundary=\r\nU"...) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:650 > #12 0x00000000007efe79 in analyzer::tcp::TCP_Reassembler::BlockInserted (this=0x167805a0, start_block=) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:396 > #13 0x00000000007ef9cc in analyzer::tcp::TCP_Reassembler::DataSent (this=0x167805a0, t=, seq=, len=, len at entry=464, data=, > data at entry=0x7f9c1b006442 , replaying=replaying at entry=true) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Reassembler.cc:495 > #14 0x00000000007ee341 in analyzer::tcp::TCP_Endpoint::DataSent (this=this at entry=0x4bb1fb0, t=, seq=seq at entry=1, len=464, caplen=464, > data=0x7f9c1b006442 , ip=ip at entry=0x7fff4034c130, tp=tp at entry=0x7f9c1b006422) > at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP_Endpoint.cc:207 > #15 0x00000000007eba12 in DeliverData (flags=..., is_orig=, rel_data_seq=1, endpoint=0x4bb1fb0, tp=0x7f9c1b006422, ip=0x7fff4034c130, caplen=, len=, > data=, t=, this=0xb172f20) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:982 > #16 analyzer::tcp::TCP_Analyzer::DeliverPacket (this=0xb172f20, len=464, data=0x7f9c1b006442 , is_orig=, seq=, > ip=0x7fff4034c130, caplen=464) at /usr/src/other/bro/src/analyzer/protocol/tcp/TCP.cc:1382 > #17 0x00000000008610c2 in analyzer::Analyzer::NextPacket (this=0xb172f20, len=496, data=0x7f9c1b006422 , is_orig=, > seq=18446744073709551615, ip=0x7fff4034c130, caplen=496) at /usr/src/other/bro/src/analyzer/Analyzer.cc:222 > #18 0x000000000056979d in Connection::NextPacket (this=this at entry=0x11e52f40, t=t at entry=1439788398.623282, is_orig=is_orig at entry=1, ip=ip at entry=0x7fff4034c130, len=len at entry=496, > caplen=caplen at entry=496, data=@0x7fff4034bfa8: 0x7f9c1b006422 , record_packet=, record_content=, > pkt=, pkt at entry=0x251a870) at /usr/src/other/bro/src/Conn.cc:260 > #19 0x00000000006038a0 in NetSessions::DoNextPacket (this=this at entry=0x2a583c0, t=t at entry=1439788398.623282, pkt=pkt at entry=0x251a870, ip_hdr=ip_hdr at entry=0x7fff4034c130, > encapsulation=encapsulation at entry=0x0) at /usr/src/other/bro/src/Sessions.cc:735 > #20 0x0000000000604824 in NetSessions::NextPacket (this=0x2a583c0, t=t at entry=1439788398.623282, pkt=pkt at entry=0x251a870) at /usr/src/other/bro/src/Sessions.cc:207 > #21 0x00000000005d456f in net_packet_dispatch (t=1439788398.623282, pkt=pkt at entry=0x251a870, src_ps=src_ps at entry=0x251a840) at /usr/src/other/bro/src/Net.cc:273 > #22 0x0000000000834539 in iosource::PktSrc::Process (this=0x251a840) at /usr/src/other/bro/src/iosource/PktSrc.cc:265 > #23 0x00000000005d4a0f in net_run () at /usr/src/other/bro/src/Net.cc:321 > #24 0x00000000005346dc in main (argc=, argv=) at /usr/src/other/bro/src/main.cc:1191 -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-247#70102) From ayenadedg at gmail.com Sat Aug 29 12:05:09 2015 From: ayenadedg at gmail.com (Edgar D. AYENA) Date: Sat, 29 Aug 2015 20:05:09 +0100 Subject: [Bro-Dev] Aide broDev In-Reply-To: References: Message-ID: Bonjour chers amis d?veloppeurs Bro, Je suis Edgar, et je suis d?butant sur Bro. Mon m?moire de fin de formation m'a amen? ? mettre en place des politiques de s?curit? avec l'outil Bro. J'ai ?num?r? quelques taches ? ex?cuter dans un fichier que j'ai joint ? ce mail. Je ne sais pas si tout est faisable avec bro mais je voudrais s?rieusement de l'aide car la date de ma soutenance se rapproche et je voudrais pouvoir appliquer tout au moins certaines lors de ma pr?sentation. Merci de m'aider SVP. -- Cordialement, ------ Edgar D. AYENA, T?l: (00229) 96 055 506 - 95 805 326 03 BP 3172 Cotonou, R. B?nin ayenadedgar at yahoo.fr ayenadedg at gmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: TACHES BRO.docx Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document Size: 15592 bytes Desc: not available Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150829/137e9deb/attachment.bin From ayenadedg at gmail.com Sat Aug 29 12:18:35 2015 From: ayenadedg at gmail.com (Edgar D. AYENA) Date: Sat, 29 Aug 2015 20:18:35 +0100 Subject: [Bro-Dev] Aide broDev Message-ID: Bonjour chers amis d?veloppeurs Bro, Je suis Edgar, et je suis d?butant sur Bro. Mon m?moire de fin de formation m'a amen? ? mettre en place des politiques de s?curit? avec l'outil Bro. J'ai ?num?r? quelques taches ? ex?cuter dans un fichier que j'ai joint ? ce mail. Je ne sais pas si tout est faisable avec bro mais je voudrais s?rieusement de l'aide car la date de ma soutenance se rapproche et je voudrais pouvoir appliquer tout au moins certaines lors de ma pr?sentation. Merci de m'aider SVP. -- Cordialement, ------ Edgar D. AYENA, T?l: (00229) 96 055 506 - 95 805 326 03 BP 3172 Cotonou, R. B?nin ayenadedgar at yahoo.fr ayenadedg at gmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: TACHES BRO.docx Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document Size: 15592 bytes Desc: not available Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150829/952a9f74/attachment-0001.bin From mfischer at ICSI.Berkeley.EDU Sat Aug 29 15:47:38 2015 From: mfischer at ICSI.Berkeley.EDU (Mathias Fischer) Date: Sat, 29 Aug 2015 15:47:38 -0700 Subject: [Bro-Dev] The Bro Deep Cluster Message-ID: <55E2368A.1010809@icsi.berkeley.edu> Hi all, with this email I just want to share my (still ongoing) research work with you and hope to get some community feedback. Since a few months I am working on what we call a Bro deep cluster: A deep cluster is envisioned to provide better scalability properties than the current Bro cluster-framework. That would allow to provide one administrative interface for several conventional clusters and/or standalone nodes to monitor several links at once. Due to its scalability it can bring monitoring from the edge of the monitored network into its depth (-> deep cluster). A deep cluster requires an auto-configuration mechanism that goes beyond what BroControl is currently providing. The goal is to setup large numbers of Bro instances that might be deployed in different parts of the network (or in different networks). Afterwards, these instances need to communicate with each other to share data and to provide security operators with a common view on their networks. An example for this would be that you have a huge network within an US-wide operating company that hosts several production sites at the east and the west coast. Currently, you would monitor each production site individually by a bro cluster. With a deep cluster you would be able to monitor and to configure the monitoring for all production sites at once. For example, this might allow to detect a slow distributed port scan across the whole network that would remain unnoticed in case of one isolated Bro cluster per production site. More information is provided on the following website, including some hints on how to run the current (development) version of the deep cluster: https://www.bro.org/development/projects/deep-cluster.html Feedback, hints, and advise are highly appreciated. Mathias -- Mathias Fischer International Computer Science Institute Berkeley, USA http://www.icsi.berkeley.edu/~mfischer/ From noreply at bro.org Sun Aug 30 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 30 Aug 2015 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508300700.t7U70KYB031623@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- -------------------------------------------------- #42 [1] bro J-Gras [2] 2015-08-24 Improved logging of Base64 errors [3] #40 [4] bro knielander [5] 2015-08-24 Enable linux fanout mode with Bro [6] #6 [7] bro-plugins jswaro [8] 2015-08-24 Adding initial conversion of TCPRS to a plugin [9] [1] Pull Request #42 https://github.com/bro/bro/pull/42 [2] J-Gras https://github.com/J-Gras [3] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [4] Pull Request #40 https://github.com/bro/bro/pull/40 [5] knielander https://github.com/knielander [6] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [7] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [8] jswaro https://github.com/jswaro [9] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From noreply at bro.org Mon Aug 31 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 31 Aug 2015 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201508310700.t7V70KFm032162@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------- ---------- -------------------------------------------------- #42 [1] bro J-Gras [2] 2015-08-31 Improved logging of Base64 errors [3] #40 [4] bro knielander [5] 2015-08-31 Enable linux fanout mode with Bro [6] #6 [7] bro-plugins jswaro [8] 2015-08-24 Adding initial conversion of TCPRS to a plugin [9] [1] Pull Request #42 https://github.com/bro/bro/pull/42 [2] J-Gras https://github.com/J-Gras [3] Merge Pull Request #42 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/base64-logging [4] Pull Request #40 https://github.com/bro/bro/pull/40 [5] knielander https://github.com/knielander [6] Merge Pull Request #40 with git pull --no-ff --no-commit https://github.com/knielander/bro.git master [7] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [8] jswaro https://github.com/jswaro [9] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin From jira at bro-tracker.atlassian.net Mon Aug 31 08:01:00 2015 From: jira at bro-tracker.atlassian.net (Gary Faulkner (JIRA)) Date: Mon, 31 Aug 2015 10:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1469) dpd.log contains lots of binpac exceptions for RDP In-Reply-To: References: Message-ID: Gary Faulkner created BIT-1469: ---------------------------------- Summary: dpd.log contains lots of binpac exceptions for RDP Key: BIT-1469 URL: https://bro-tracker.atlassian.net/browse/BIT-1469 Project: Bro Issue Tracker Issue Type: Problem Components: BinPAC, Bro Affects Versions: git/master Environment: RHEL 6.6, 2.4-10 bro build from git Reporter: Gary Faulkner RDP scanners seem to generate a lot of binpac errors in dpd.log for RDP connections. The following log line is an example of the error that repeats continuously during the activity: 1441031469.413008 CPNcey4q2i8mGVUvEg 74.91.23.83 62082 10.10.81.207 3389 tcp RDP Binpac exception: binpac exception: out_of_bound: DT_Data:application_type: 3 > 2 The 10.x.x.x IP is the redacted local IP. The other IP is the scanner. -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 08:18:00 2015 From: jira at bro-tracker.atlassian.net (Gary Faulkner (JIRA)) Date: Mon, 31 Aug 2015 10:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1469) dpd.log contains lots of binpac exceptions for RDP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Gary Faulkner updated BIT-1469: ------------------------------- Attachment: rdp-31AUG15.pcap > dpd.log contains lots of binpac exceptions for RDP > -------------------------------------------------- > > Key: BIT-1469 > URL: https://bro-tracker.atlassian.net/browse/BIT-1469 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro > Affects Versions: git/master > Environment: RHEL 6.6, 2.4-10 bro build from git > Reporter: Gary Faulkner > Labels: analyzer > Attachments: rdp-31AUG15.pcap > > > RDP scanners seem to generate a lot of binpac errors in dpd.log for RDP connections. > The following log line is an example of the error that repeats continuously during the activity: > 1441031469.413008 CPNcey4q2i8mGVUvEg 74.91.23.83 62082 10.10.81.207 3389 tcp RDP Binpac exception: binpac exception: out_of_bound: DT_Data:application_type: 3 > 2 > The 10.x.x.x IP is the redacted local IP. The other IP is the scanner. -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 10:41:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 31 Aug 2015 12:41:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1464) heap overflow in build_syn_packet_val In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1464: ---------------------------------- Assignee: Johanna Amann > heap overflow in build_syn_packet_val > ------------------------------------- > > Key: BIT-1464 > URL: https://bro-tracker.atlassian.net/browse/BIT-1464 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Johanna Amann > Attachments: build_syn_packet_val_bug.pcap > > > {code} > # bro -r build_syn_packet_val_bug.pcap > ================================================================= > ==15198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000e45266 at pc 0x000000cd6731 bp 0x7fff061fe1b0 sp 0x7fff061fe1a8 > READ of size 1 at 0x607000e45266 thread T0 > #0 0xcd6730 in build_syn_packet_val(int, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:52:3 > #1 0xcd6730 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1274 > #2 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #3 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #4 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #5 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #6 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #7 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #8 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #9 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #10 0x7f204146cb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #11 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 10:47:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 31 Aug 2015 12:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1425) BroString::Set() Attempts Allocation of Negative-Length Memory In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1425: ------------------------------ Resolution: Fixed Status: Closed (was: Open) > BroString::Set() Attempts Allocation of Negative-Length Memory > -------------------------------------------------------------- > > Key: BIT-1425 > URL: https://bro-tracker.atlassian.net/browse/BIT-1425 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3, 2.4 > Environment: Linux Mint 17.1 (Ubuntu 14.04) on bare metal and in a VirtualBox VM. > Mac OS X 10.10.3 > Reporter: Jonathan Ganz > Assignee: Robin Sommer > Labels: analyzer > Fix For: 2.5 > > Attachments: backtrace.log, lbl-internal.20041215-1142.port004.dump.anon, memory_trace.log, negativeMemory.bro > > > When the tcp_packet() event is used, Bro may attempt to allocate memory that is negative in length (i.e. -6 bytes). Bro crashes with the following output: > tcmalloc: large alloc 0 bytes == (nil) @ 0x7f6abeaefc73 0x7f6abeb111c3 0x765e81 0x765b24 0x872562 0xaddc2f 0xaded94 0xb7aeca 0x775180 0x84105b 0x83f5c0 0x83f39d 0x7fb1bc 0xb3cde6 0x7fb3d9 0x750e98 0x7f6abdaf4ec5 0x72e553 (nil) > out of memory in new. > 1103139821.634774 fatal error: out of memory in new. > The attached pcap file and bro script cause such a crash when run with the following command: > /usr/local/bro/bin/bro -r lbl-internal.20041215-1142.port004.dump.anon /usr/local/bro/share/bro/site/negativeMemory.bro > A core file is not being generated for me, despite following the directions for reporting problems (https://www.bro.org/support/reporting-problems.html#getting-more-information-after-acrash). The file named memory_trace.log shows an alternatively formatted traceback of the stack when the error occurs. -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 11:09:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 31 Aug 2015 13:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1464) heap overflow in build_syn_packet_val In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21900#comment-21900 ] Johanna Amann commented on BIT-1464: ------------------------------------ Ok - I managed to verify this and I think that Robin just fixed it in 1b9ee38e6933fbaf1db5822ab0e3088e41435c49. Could you just cross-check to make sure and close the bug if that fixes it? > heap overflow in build_syn_packet_val > ------------------------------------- > > Key: BIT-1464 > URL: https://bro-tracker.atlassian.net/browse/BIT-1464 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Johanna Amann > Attachments: build_syn_packet_val_bug.pcap > > > {code} > # bro -r build_syn_packet_val_bug.pcap > ================================================================= > ==15198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000e45266 at pc 0x000000cd6731 bp 0x7fff061fe1b0 sp 0x7fff061fe1a8 > READ of size 1 at 0x607000e45266 thread T0 > #0 0xcd6730 in build_syn_packet_val(int, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:52:3 > #1 0xcd6730 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1274 > #2 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #3 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #4 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #5 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #6 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #7 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #8 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #9 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #10 0x7f204146cb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #11 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 11:09:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 31 Aug 2015 13:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1464) heap overflow in build_syn_packet_val In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1464: ---------------------------------- Assignee: Justin Azoff (was: Johanna Amann) > heap overflow in build_syn_packet_val > ------------------------------------- > > Key: BIT-1464 > URL: https://bro-tracker.atlassian.net/browse/BIT-1464 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Attachments: build_syn_packet_val_bug.pcap > > > {code} > # bro -r build_syn_packet_val_bug.pcap > ================================================================= > ==15198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000e45266 at pc 0x000000cd6731 bp 0x7fff061fe1b0 sp 0x7fff061fe1a8 > READ of size 1 at 0x607000e45266 thread T0 > #0 0xcd6730 in build_syn_packet_val(int, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:52:3 > #1 0xcd6730 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1274 > #2 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #3 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #4 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #5 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #6 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #7 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #8 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #9 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #10 0x7f204146cb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #11 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 11:28:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 31 Aug 2015 13:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1463) heap overflow in PktSrc::Process In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1463: ---------------------------------- Assignee: Johanna Amann > heap overflow in PktSrc::Process > -------------------------------- > > Key: BIT-1463 > URL: https://bro-tracker.atlassian.net/browse/BIT-1463 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Johanna Amann > Attachments: pktsrc_bug.pcap > > > {code} > ==11569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001bcbfc at pc 0x000000da1f1b bp 0x7fff726f3d90 sp 0x7fff726f3d88 > READ of size 1 at 0x6020001bcbfc thread T0 > #0 0xda1f1a in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:325:3 > #1 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #2 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #3 0x7f2fd89beb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #4 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 12:07:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 31 Aug 2015 14:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1464) heap overflow in build_syn_packet_val In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1464: ------------------------------- Resolution: Duplicate Status: Closed (was: Open) Was fixed together with BIT-1425 > heap overflow in build_syn_packet_val > ------------------------------------- > > Key: BIT-1464 > URL: https://bro-tracker.atlassian.net/browse/BIT-1464 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Attachments: build_syn_packet_val_bug.pcap > > > {code} > # bro -r build_syn_packet_val_bug.pcap > ================================================================= > ==15198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000e45266 at pc 0x000000cd6731 bp 0x7fff061fe1b0 sp 0x7fff061fe1a8 > READ of size 1 at 0x607000e45266 thread T0 > #0 0xcd6730 in build_syn_packet_val(int, IP_Hdr const*, tcphdr const*) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:52:3 > #1 0xcd6730 in analyzer::tcp::TCP_Analyzer::DeliverPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/protocol/tcp/TCP.cc:1274 > #2 0xe24b22 in analyzer::Analyzer::NextPacket(int, unsigned char const*, bool, unsigned long, IP_Hdr const*, int) /scratch/bro-clean/src/analyzer/Analyzer.cc:222:4 > #3 0x688d9f in Connection::NextPacket(double, int, IP_Hdr const*, int, int, unsigned char const*&, int&, int&, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Conn.cc:260:3 > #4 0x858e6f in NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) /scratch/bro-clean/src/Sessions.cc:758:2 > #5 0x85553d in NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int) /scratch/bro-clean/src/Sessions.cc:231:3 > #6 0x7ba30f in net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, iosource::PktSrc*) /scratch/bro-clean/src/Net.cc:281:2 > #7 0xda1c1b in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:423:3 > #8 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #9 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #10 0x7f204146cb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #11 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 13:05:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 31 Aug 2015 15:05:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1363: ------------------------------- Resolution: Fixed Status: Closed (was: Open) This was added in https://github.com/bro/bro/commit/36b5a4db0834be81ae0761f673744a5b72ae9817 > Clustered AF_PACKET support > --------------------------- > > Key: BIT-1363 > URL: https://bro-tracker.atlassian.net/browse/BIT-1363 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > > Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. > Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 13:06:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 31 Aug 2015 15:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1363: ------------------------------- Status: Reopened (was: Closed) Resolution: (was: Fixed) > Clustered AF_PACKET support > --------------------------- > > Key: BIT-1363 > URL: https://bro-tracker.atlassian.net/browse/BIT-1363 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > > Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. > Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 13:06:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 31 Aug 2015 15:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21904#comment-21904 ] Johanna Amann commented on BIT-1363: ------------------------------------ Actually, sorry, it was not since this is probably not supported by broctl yet. > Clustered AF_PACKET support > --------------------------- > > Key: BIT-1363 > URL: https://bro-tracker.atlassian.net/browse/BIT-1363 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > > Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. > Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 13:14:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 31 Aug 2015 15:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1463) heap overflow in PktSrc::Process In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21905#comment-21905 ] Johanna Amann commented on BIT-1463: ------------------------------------ I have a fix in topic/johanna/bit-1463 that starts counting remaining bytes to see if there might be an access overflow in the header. It fixes the problem in the presented trace and I hope that it also will fix similar problems with other headers (e.g. mpls/vlan/whatever). > heap overflow in PktSrc::Process > -------------------------------- > > Key: BIT-1463 > URL: https://bro-tracker.atlassian.net/browse/BIT-1463 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Johanna Amann > Attachments: pktsrc_bug.pcap > > > {code} > ==11569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001bcbfc at pc 0x000000da1f1b bp 0x7fff726f3d90 sp 0x7fff726f3d88 > READ of size 1 at 0x6020001bcbfc thread T0 > #0 0xda1f1a in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:325:3 > #1 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #2 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #3 0x7f2fd89beb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #4 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 13:14:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 31 Aug 2015 15:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1463) heap overflow in PktSrc::Process In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1463: ------------------------------- Status: Merge Request (was: Open) Assignee: (was: Johanna Amann) > heap overflow in PktSrc::Process > -------------------------------- > > Key: BIT-1463 > URL: https://bro-tracker.atlassian.net/browse/BIT-1463 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: pktsrc_bug.pcap > > > {code} > ==11569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001bcbfc at pc 0x000000da1f1b bp 0x7fff726f3d90 sp 0x7fff726f3d88 > READ of size 1 at 0x6020001bcbfc thread T0 > #0 0xda1f1a in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:325:3 > #1 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #2 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #3 0x7f2fd89beb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #4 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 14:16:00 2015 From: jira at bro-tracker.atlassian.net (Wendy Edwards (JIRA)) Date: Mon, 31 Aug 2015 16:16:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework In-Reply-To: References: Message-ID: Wendy Edwards created BIT-1470: ---------------------------------- Summary: Implemented Functions in Notice Framework Key: BIT-1470 URL: https://bro-tracker.atlassian.net/browse/BIT-1470 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 2.3 Reporter: Wendy Edwards Attachments: main_mod.bro, notice_main.patch I modified the main.bro file in the notice framework (see https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro) to implement the functions "notice_tags" and "execute_with_notice." The patch (notice_main.patch) and the modified file (main_mod.bro) are both attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 14:18:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 31 Aug 2015 16:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1463) heap overflow in PktSrc::Process In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21914#comment-21914 ] Johanna Amann commented on BIT-1463: ------------------------------------ topic/johanna/bit-1463-bro24 contains the patch for 2.4. > heap overflow in PktSrc::Process > -------------------------------- > > Key: BIT-1463 > URL: https://bro-tracker.atlassian.net/browse/BIT-1463 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: pktsrc_bug.pcap > > > {code} > ==11569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001bcbfc at pc 0x000000da1f1b bp 0x7fff726f3d90 sp 0x7fff726f3d88 > READ of size 1 at 0x6020001bcbfc thread T0 > #0 0xda1f1a in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:325:3 > #1 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #2 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #3 0x7f2fd89beb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #4 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102) From jira at bro-tracker.atlassian.net Mon Aug 31 14:46:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 31 Aug 2015 16:46:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1463) heap overflow in PktSrc::Process In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1463: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > heap overflow in PktSrc::Process > -------------------------------- > > Key: BIT-1463 > URL: https://bro-tracker.atlassian.net/browse/BIT-1463 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Attachments: pktsrc_bug.pcap > > > {code} > ==11569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001bcbfc at pc 0x000000da1f1b bp 0x7fff726f3d90 sp 0x7fff726f3d88 > READ of size 1 at 0x6020001bcbfc thread T0 > #0 0xda1f1a in iosource::PktSrc::Process() /scratch/bro-clean/src/iosource/PktSrc.cc:325:3 > #1 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4 > #2 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3 > #3 0x7f2fd89beb44 in __libc_start_main /tmp/buildd/glibc-2.19/csu/libc-start.c:287 > #4 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c) > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-02-259#70102)