From noreply at bro.org Thu Oct 1 00:00:50 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 1 Oct 2015 00:00:50 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510010700.t9170oji027870@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------- BIT-1485 [1] Bro,Broker Daniel Thayer Robin Sommer 2015-09-29 - Normal add configure option to prevent building broker python bindings BIT-1484 [2] Bro Daniel Thayer Robin Sommer 2015-09-29 - Normal topic/dnthayer/doc-fixes [3] BIT-1481 [4] Bro Daniel Thayer Robin Sommer 2015-09-29 - Normal some test canonifiers don't always read from stdin BIT-1479 [5] Bro scampbell - 2015-09-16 - Normal seek functionality in RAW reader does not go to end of file BIT-1476 [6] BTest Daniel Thayer - 2015-09-13 - Normal btest-diff can generate too much output when a test fails BIT-1470 [7] Bro Wendy Edwards - 2015-09-11 2.5 Low Implemented Functions in Notice Framework BIT-1336 [8] Bro Vlad Grigorescu - 2015-09-04 2.5 Trivial ElasticSearch indices in UTC Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------------- ---------- ---------------------------------------------------- 24ecb35 [9] bro-testing Vlad Grigorescu 2015-09-10 Add README.rst -> README symlink. Addresses BIT-1413 Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ------------- ------------- ---------- ---------------------------------------------------------------------------- #44 [10] bro yunzheng [11] 2015-09-23 Fixed parsing of V_ASN1_GENERALIZEDTIME timestamps in x509 certificates [12] #6 [13] bro-plugins jswaro [14] 2015-08-24 Adding initial conversion of TCPRS to a plugin [15] #1 [16] broctl J-Gras [17] 2015-09-11 Added support for packet fanout load balancing [18] #3 [19] packet-bricks shirkdog [20] 2015-09-21 Add a check for FreeBSD in lua_interface.c [21] [1] BIT-1485 https://bro-tracker.atlassian.net/browse/BIT-1485 [2] BIT-1484 https://bro-tracker.atlassian.net/browse/BIT-1484 [3] doc-fixes https://github.com/bro/bro/tree/topic/dnthayer/doc-fixes [4] BIT-1481 https://bro-tracker.atlassian.net/browse/BIT-1481 [5] BIT-1479 https://bro-tracker.atlassian.net/browse/BIT-1479 [6] BIT-1476 https://bro-tracker.atlassian.net/browse/BIT-1476 [7] BIT-1470 https://bro-tracker.atlassian.net/browse/BIT-1470 [8] BIT-1336 https://bro-tracker.atlassian.net/browse/BIT-1336 [9] 24ecb35 https://github.com/bro/bro-testing/commit/24ecb35f121e473bf7ff8e66b2e0c2ac68b4e6c0 [10] Pull Request #44 https://github.com/bro/bro/pull/44 [11] yunzheng https://github.com/yunzheng [12] Merge Pull Request #44 with git pull --no-ff --no-commit https://github.com/yunzheng/bro.git topic/x509-generalizedtime [13] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [14] jswaro https://github.com/jswaro [15] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [16] Pull Request #1 https://github.com/bro/broctl/pull/1 [17] J-Gras https://github.com/J-Gras [18] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config [19] Pull Request #3 https://github.com/bro/packet-bricks/pull/3 [20] shirkdog https://github.com/shirkdog [21] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/shirkdog/packet-bricks.git master From jira at bro-tracker.atlassian.net Thu Oct 1 15:31:00 2015 From: jira at bro-tracker.atlassian.net (Eric Karasuda (JIRA)) Date: Thu, 1 Oct 2015 17:31:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response In-Reply-To: References: Message-ID: Eric Karasuda created BIT-1487: ---------------------------------- Summary: protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Key: BIT-1487 URL: https://bro-tracker.atlassian.net/browse/BIT-1487 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 2.4 Reporter: Eric Karasuda Attachments: http-connect.patch, http-connect.pcap, output-without-patch.tar.gz, output-with-patch.tar.gz Failure scenario: * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443 * the server responds HTTP 200 * the proxy adds a header to the server's response (e.g. "Proxy-agent: Apache/2.4.16 (Unix)" in the attached pcap). * SSL handshake proceeds * Bro fails to identify the SSL handshake As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it instantiates a child analyzer and passes the rest of the server's response to the child. In particular, this means the "Proxy-agent" header is treated as the first data transmitted in the SSL handshake. As a result, protocol detection fails. The attached patch remembers that the HTTP 200 was received and only instantiates the child analyzer when the newline is reached at the end of the HTTP message (e.g. after the "Proxy-agent" header). Running {{bro -C -r http-connect.pcap}} with the attached pcap should output {{output-without-patch.tar.gz}} before applying the patch (note the absence of ssl.log) and should output {{output-with-patch.tar.gz}} after applying the patch. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:01:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 18:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1476) btest-diff can generate too much output when a test fails In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1476: --------------------------------- Assignee: Robin Sommer > btest-diff can generate too much output when a test fails > --------------------------------------------------------- > > Key: BIT-1476 > URL: https://bro-tracker.atlassian.net/browse/BIT-1476 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BTest > Reporter: Daniel Thayer > Assignee: Robin Sommer > > When btest-diff fails for a test, it shows the file and then the diff of > the file vs. the baseline. For small output sizes, this can be very useful, but it > doesn't seem useful when one must scroll through hundreds (or thousands) of > lines of output just to find where the diff begins. There is a MAX_LINES parameter > in btest-diff to truncate the output of huge files, but it cannot be customized and > the default value is 5000, which seems really excessive. There is also a > TEST_DIFF_BRIEF option to prevent showing any file contents, but this is > not desirable to use for tests with small baselines, and having to set it for each > test with a large baseline seems like too much of a maintenance burden. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:14:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 18:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1479) seek functionality in RAW reader does not go to end of file In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1479: --------------------------------- Assignee: Robin Sommer > seek functionality in RAW reader does not go to end of file > ----------------------------------------------------------- > > Key: BIT-1479 > URL: https://bro-tracker.atlassian.net/browse/BIT-1479 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: running bin/bro version 2.4-87-debug on linux > Reporter: scampbell > Assignee: Robin Sommer > Labels: input-framework > > When using the seek functionality for RAW input as described in > https://github.com/bro/bro/commit/cbba73ab12b3a9935162f008fe7d05ab61c5be6a > The code on line 397-398 will push the suggested value of -1 to 0 which will disable the SEEK_END. > The fix would be to make the test if offset < -1, or to remove it in its entirety. > many thanks! > scott -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:15:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 18:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1470: --------------------------------- Assignee: Robin Sommer > Implemented Functions in Notice Framework > ----------------------------------------- > > Key: BIT-1470 > URL: https://bro-tracker.atlassian.net/browse/BIT-1470 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.3 > Reporter: Wendy Edwards > Assignee: Robin Sommer > Priority: Low > Fix For: 2.5 > > Attachments: main_mod.bro, notice_main.patch > > > I modified the main.bro file in the notice framework (see https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro) to implement the functions "notice_tags" and "execute_with_notice." The patch (notice_main.patch) and the modified file (main_mod.bro) are both attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:22:02 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 18:22:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22409#comment-22409 ] Robin Sommer commented on BIT-1470: ----------------------------------- The code in in notice_tags() looks pretty fragile: I'd bet that we if ever changed the fields that an Info record had, we'd forget to adapt this function. Different idea: we could use record_fields() instead to get all the fields dynamically and then iterate through. For those that need special treatment to generate good defaults, we could still hardcode that; but for all others we'd just convert to string by default. > Implemented Functions in Notice Framework > ----------------------------------------- > > Key: BIT-1470 > URL: https://bro-tracker.atlassian.net/browse/BIT-1470 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.3 > Reporter: Wendy Edwards > Assignee: Robin Sommer > Priority: Low > Fix For: 2.5 > > Attachments: main_mod.bro, notice_main.patch > > > I modified the main.bro file in the notice framework (see https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro) to implement the functions "notice_tags" and "execute_with_notice." The patch (notice_main.patch) and the modified file (main_mod.bro) are both attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:22:02 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 18:22:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1470: ------------------------------ Status: Open (was: Merge Request) > Implemented Functions in Notice Framework > ----------------------------------------- > > Key: BIT-1470 > URL: https://bro-tracker.atlassian.net/browse/BIT-1470 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.3 > Reporter: Wendy Edwards > Assignee: Robin Sommer > Priority: Low > Fix For: 2.5 > > Attachments: main_mod.bro, notice_main.patch > > > I modified the main.bro file in the notice framework (see https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro) to implement the functions "notice_tags" and "execute_with_notice." The patch (notice_main.patch) and the modified file (main_mod.bro) are both attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:22:02 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 18:22:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22408#comment-22408 ] Robin Sommer commented on BIT-1470: ----------------------------------- The code in in notice_tags() looks pretty fragile: I'd bet that we if ever changed the fields that an Info record had, we'd forget to adapt this function. Different idea: we could use record_fields() instead to get all the fields dynamically and then iterate through. For those that need special treatment to generate good defaults, we could still hardcode that; but for all others we'd just convert to string by default. > Implemented Functions in Notice Framework > ----------------------------------------- > > Key: BIT-1470 > URL: https://bro-tracker.atlassian.net/browse/BIT-1470 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.3 > Reporter: Wendy Edwards > Assignee: Robin Sommer > Priority: Low > Fix For: 2.5 > > Attachments: main_mod.bro, notice_main.patch > > > I modified the main.bro file in the notice framework (see https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro) to implement the functions "notice_tags" and "execute_with_notice." The patch (notice_main.patch) and the modified file (main_mod.bro) are both attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:23:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 18:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1470: --------------------------------- Assignee: Daniel Thayer (was: Robin Sommer) > Implemented Functions in Notice Framework > ----------------------------------------- > > Key: BIT-1470 > URL: https://bro-tracker.atlassian.net/browse/BIT-1470 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.3 > Reporter: Wendy Edwards > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > Attachments: main_mod.bro, notice_main.patch > > > I modified the main.bro file in the notice framework (see https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro) to implement the functions "notice_tags" and "execute_with_notice." The patch (notice_main.patch) and the modified file (main_mod.bro) are both attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:30:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 18:30:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1336: --------------------------------- Assignee: Robin Sommer > ElasticSearch indices in UTC > ---------------------------- > > Key: BIT-1336 > URL: https://bro-tracker.atlassian.net/browse/BIT-1336 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Robin Sommer > Priority: Trivial > Fix For: 2.5 > > > For improved compatibility with Kibana and other ElasticSearch frontends, the timestamps on the Bro indices should be changed to UTC. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:42:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 18:42:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1486) Bro crashes when trying to Start In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1486: ------------------------------ Priority: Normal (was: Critical) > Bro crashes when trying to Start > -------------------------------- > > Key: BIT-1486 > URL: https://bro-tracker.atlassian.net/browse/BIT-1486 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: It's on a Centos 6 OS version and we are in the process of transitioning for an onboard NIC to a Myricom 10G fiber interface card. > Reporter: Gabriel Dinkins > Labels: broctl > > Upon trying to start the Bro IDS software it continually crashes. Upon checking the "diag" it states: ==== stderr.log > fatal error: problem with interface p3p1 (p3p1: no IPv4 address assigned) -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:45:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 18:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22410#comment-22410 ] Robin Sommer commented on BIT-1467: ----------------------------------- They keep failing for me too. Is this still a canonifier problem, or are the tests themselves broken? I'd like to get this fixed; not good if we have tests that we know to fail. > several tests are broken in scripts/policy/protocols/ssl > -------------------------------------------------------- > > Key: BIT-1467 > URL: https://bro-tracker.atlassian.net/browse/BIT-1467 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Johanna Amann > Fix For: 2.5 > > > Due to recent bug fixes in the btest repo (see BIT-1455), it was > discovered that several tests in the bro repo now fail due to problems > with their canonifier. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:45:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 18:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1467: ------------------------------ Priority: High (was: Normal) > several tests are broken in scripts/policy/protocols/ssl > -------------------------------------------------------- > > Key: BIT-1467 > URL: https://bro-tracker.atlassian.net/browse/BIT-1467 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Johanna Amann > Priority: High > Fix For: 2.5 > > > Due to recent bug fixes in the btest repo (see BIT-1455), it was > discovered that several tests in the bro repo now fail due to problems > with their canonifier. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 16:54:00 2015 From: jira at bro-tracker.atlassian.net (Wendy Edwards (JIRA)) Date: Thu, 1 Oct 2015 18:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22411#comment-22411 ] Wendy Edwards commented on BIT-1470: ------------------------------------ Would you like me to try making this change? > Implemented Functions in Notice Framework > ----------------------------------------- > > Key: BIT-1470 > URL: https://bro-tracker.atlassian.net/browse/BIT-1470 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.3 > Reporter: Wendy Edwards > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > Attachments: main_mod.bro, notice_main.patch > > > I modified the main.bro file in the notice framework (see https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro) to implement the functions "notice_tags" and "execute_with_notice." The patch (notice_main.patch) and the modified file (main_mod.bro) are both attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 17:00:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 19:00:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22412#comment-22412 ] Robin Sommer commented on BIT-1363: ----------------------------------- Is the conclusion that the pcap-based fan-out code that got merged recently doesn't work and should be removed? That would then also affect https://github.com/bro/broctl/pull/1. > Clustered AF_PACKET support > --------------------------- > > Key: BIT-1363 > URL: https://bro-tracker.atlassian.net/browse/BIT-1363 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > Attachments: pcap.c > > > Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. > Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 17:01:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 19:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22413#comment-22413 ] Robin Sommer commented on BIT-1470: ----------------------------------- Sure, thanks (I should have assigned it back to you) > Implemented Functions in Notice Framework > ----------------------------------------- > > Key: BIT-1470 > URL: https://bro-tracker.atlassian.net/browse/BIT-1470 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.3 > Reporter: Wendy Edwards > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > Attachments: main_mod.bro, notice_main.patch > > > I modified the main.bro file in the notice framework (see https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro) to implement the functions "notice_tags" and "execute_with_notice." The patch (notice_main.patch) and the modified file (main_mod.bro) are both attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 17:01:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 19:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1470: --------------------------------- Assignee: Wendy Edwards (was: Daniel Thayer) > Implemented Functions in Notice Framework > ----------------------------------------- > > Key: BIT-1470 > URL: https://bro-tracker.atlassian.net/browse/BIT-1470 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.3 > Reporter: Wendy Edwards > Assignee: Wendy Edwards > Priority: Low > Fix For: 2.5 > > Attachments: main_mod.bro, notice_main.patch > > > I modified the main.bro file in the notice framework (see https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro) to implement the functions "notice_tags" and "execute_with_notice." The patch (notice_main.patch) and the modified file (main_mod.bro) are both attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 17:11:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 1 Oct 2015 19:11:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22414#comment-22414 ] Johanna Amann commented on BIT-1467: ------------------------------------ The tests themselves are broken -- sorry, I will try to fix this soon. > several tests are broken in scripts/policy/protocols/ssl > -------------------------------------------------------- > > Key: BIT-1467 > URL: https://bro-tracker.atlassian.net/browse/BIT-1467 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Johanna Amann > Priority: High > Fix For: 2.5 > > > Due to recent bug fixes in the btest repo (see BIT-1455), it was > discovered that several tests in the bro repo now fail due to problems > with their canonifier. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 21:18:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 23:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1336: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > ElasticSearch indices in UTC > ---------------------------- > > Key: BIT-1336 > URL: https://bro-tracker.atlassian.net/browse/BIT-1336 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Robin Sommer > Priority: Trivial > Fix For: 2.5 > > > For improved compatibility with Kibana and other ElasticSearch frontends, the timestamps on the Bro indices should be changed to UTC. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 21:18:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 Oct 2015 23:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1476) btest-diff can generate too much output when a test fails In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1476: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > btest-diff can generate too much output when a test fails > --------------------------------------------------------- > > Key: BIT-1476 > URL: https://bro-tracker.atlassian.net/browse/BIT-1476 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BTest > Reporter: Daniel Thayer > Assignee: Robin Sommer > > When btest-diff fails for a test, it shows the file and then the diff of > the file vs. the baseline. For small output sizes, this can be very useful, but it > doesn't seem useful when one must scroll through hundreds (or thousands) of > lines of output just to find where the diff begins. There is a MAX_LINES parameter > in btest-diff to truncate the output of huge files, but it cannot be customized and > the default value is 5000, which seems really excessive. There is also a > TEST_DIFF_BRIEF option to prevent showing any file contents, but this is > not desirable to use for tests with small baselines, and having to set it for each > test with a large baseline seems like too much of a maintenance burden. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Thu Oct 1 23:45:00 2015 From: jira at bro-tracker.atlassian.net (Kris Nielander (JIRA)) Date: Fri, 2 Oct 2015 01:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22415#comment-22415 ] Kris Nielander commented on BIT-1363: ------------------------------------- I believe the conditions for it to work depend a little bit too much on libpcap. I would suggest removing it in favor of a separate af_packet plugin, but do leave the pcap buffer patch in place. > Clustered AF_PACKET support > --------------------------- > > Key: BIT-1363 > URL: https://bro-tracker.atlassian.net/browse/BIT-1363 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > Attachments: pcap.c > > > Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. > Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From noreply at bro.org Fri Oct 2 00:00:27 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 2 Oct 2015 00:00:27 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510020700.t9270RMY024104@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------- BIT-1485 [1] Bro,Broker Daniel Thayer Robin Sommer 2015-09-29 - Normal add configure option to prevent building broker python bindings BIT-1484 [2] Bro Daniel Thayer Robin Sommer 2015-09-29 - Normal topic/dnthayer/doc-fixes [3] BIT-1481 [4] Bro Daniel Thayer Robin Sommer 2015-09-29 - Normal some test canonifiers don't always read from stdin BIT-1479 [5] Bro scampbell Robin Sommer 2015-10-01 - Normal seek functionality in RAW reader does not go to end of file Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------------- ---------- ---------------------------------------------------- 24ecb35 [6] bro-testing Vlad Grigorescu 2015-09-10 Add README.rst -> README symlink. Addresses BIT-1413 Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------- ------------- ---------- --------------------------------------------------------------------------- #44 [7] bro yunzheng [8] 2015-09-23 Fixed parsing of V_ASN1_GENERALIZEDTIME timestamps in x509 certificates [9] #6 [10] bro-plugins jswaro [11] 2015-10-02 Adding initial conversion of TCPRS to a plugin [12] #1 [13] broctl J-Gras [14] 2015-09-11 Added support for packet fanout load balancing [15] #3 [16] packet-bricks shirkdog [17] 2015-09-21 Add a check for FreeBSD in lua_interface.c [18] [1] BIT-1485 https://bro-tracker.atlassian.net/browse/BIT-1485 [2] BIT-1484 https://bro-tracker.atlassian.net/browse/BIT-1484 [3] doc-fixes https://github.com/bro/bro/tree/topic/dnthayer/doc-fixes [4] BIT-1481 https://bro-tracker.atlassian.net/browse/BIT-1481 [5] BIT-1479 https://bro-tracker.atlassian.net/browse/BIT-1479 [6] 24ecb35 https://github.com/bro/bro-testing/commit/24ecb35f121e473bf7ff8e66b2e0c2ac68b4e6c0 [7] Pull Request #44 https://github.com/bro/bro/pull/44 [8] yunzheng https://github.com/yunzheng [9] Merge Pull Request #44 with git pull --no-ff --no-commit https://github.com/yunzheng/bro.git topic/x509-generalizedtime [10] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [11] jswaro https://github.com/jswaro [12] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [13] Pull Request #1 https://github.com/bro/broctl/pull/1 [14] J-Gras https://github.com/J-Gras [15] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config [16] Pull Request #3 https://github.com/bro/packet-bricks/pull/3 [17] shirkdog https://github.com/shirkdog [18] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/shirkdog/packet-bricks.git master From jira at bro-tracker.atlassian.net Fri Oct 2 00:19:00 2015 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Fri, 2 Oct 2015 02:19:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22416#comment-22416 ] Jan Grashoefer commented on BIT-1363: ------------------------------------- @Robin: You are right. I have already started writing the AF_PACKET plugin for Bro and I can update my broctl patch as well. > Clustered AF_PACKET support > --------------------------- > > Key: BIT-1363 > URL: https://bro-tracker.atlassian.net/browse/BIT-1363 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > Attachments: pcap.c > > > Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. > Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Fri Oct 2 07:55:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 2 Oct 2015 09:55:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1363: --------------------------------- Assignee: Robin Sommer > Clustered AF_PACKET support > --------------------------- > > Key: BIT-1363 > URL: https://bro-tracker.atlassian.net/browse/BIT-1363 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > Assignee: Robin Sommer > Attachments: pcap.c > > > Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. > Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Fri Oct 2 07:55:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 2 Oct 2015 09:55:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22417#comment-22417 ] Robin Sommer commented on BIT-1363: ----------------------------------- Ok, I'l remove. Looking forward to the plugin! > Clustered AF_PACKET support > --------------------------- > > Key: BIT-1363 > URL: https://bro-tracker.atlassian.net/browse/BIT-1363 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > Assignee: Robin Sommer > Attachments: pcap.c > > > Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. > Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Fri Oct 2 08:04:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Fri, 2 Oct 2015 10:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22418#comment-22418 ] Michal Purzynski commented on BIT-1363: --------------------------------------- Yes, please remove the change and just leave the configurable buffer if you can. Going through libpcap which might or might not work taught us to write a packet source plugin instead, which won't depend on anything and less code is always nice. Always nice to learn something. > Clustered AF_PACKET support > --------------------------- > > Key: BIT-1363 > URL: https://bro-tracker.atlassian.net/browse/BIT-1363 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > Assignee: Robin Sommer > Attachments: pcap.c > > > Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. > Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Fri Oct 2 08:40:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 2 Oct 2015 10:40:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1479) seek functionality in RAW reader does not go to end of file In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1479: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > seek functionality in RAW reader does not go to end of file > ----------------------------------------------------------- > > Key: BIT-1479 > URL: https://bro-tracker.atlassian.net/browse/BIT-1479 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: running bin/bro version 2.4-87-debug on linux > Reporter: scampbell > Assignee: Robin Sommer > Labels: input-framework > > When using the seek functionality for RAW input as described in > https://github.com/bro/bro/commit/cbba73ab12b3a9935162f008fe7d05ab61c5be6a > The code on line 397-398 will push the suggested value of -1 to 0 which will disable the SEEK_END. > The fix would be to make the test if offset < -1, or to remove it in its entirety. > many thanks! > scott -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Fri Oct 2 08:40:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 2 Oct 2015 10:40:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1485) add configure option to prevent building broker python bindings In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1485: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > add configure option to prevent building broker python bindings > --------------------------------------------------------------- > > Key: BIT-1485 > URL: https://bro-tracker.atlassian.net/browse/BIT-1485 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Broker > Reporter: Daniel Thayer > Assignee: Robin Sommer > > There should be a configure option to prevent building the broker python bindings. > Also, the summary output of configure should more clearly show whether or not > pybroker will be built (for example, if you have an older version of swig, it's not easy > to see the warning message about not being able to build python bindings). -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Fri Oct 2 08:40:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 2 Oct 2015 10:40:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1481) some test canonifiers don't always read from stdin In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1481: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > some test canonifiers don't always read from stdin > -------------------------------------------------- > > Key: BIT-1481 > URL: https://bro-tracker.atlassian.net/browse/BIT-1481 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Robin Sommer > > Some of the test canonifier scripts being used in the Bro test suite > cannot reliably be combined with other canonifiers in a pipeline. > For example, this works: > TEST_DIFF_CANONIFIER="diff-remove-x509-names | diff-remove-timestamps" > but switching the order of these canonifiers does not work: > TEST_DIFF_CANONIFIER="diff-remove-timestamps | diff-remove-x509-names" -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Fri Oct 2 08:40:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 2 Oct 2015 10:40:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1484) topic/dnthayer/doc-fixes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1484: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/dnthayer/doc-fixes > ------------------------ > > Key: BIT-1484 > URL: https://bro-tracker.atlassian.net/browse/BIT-1484 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Robin Sommer > > The branch "topic/dnthayer/doc-fixes" in the bro repo contains various > doc fixes and improvements that I've collected over the past two months. > These are mostly just small fixes or clarifications based on user questions on > the mailing list. The most significant changes are to the input framework > and the GeoIP documentation. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Fri Oct 2 12:20:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 2 Oct 2015 14:20:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22419#comment-22419 ] Johanna Amann commented on BIT-1467: ------------------------------------ topic/dnthayer/ticket1467 should be ready to merge now - the tests seem to pass on anything I managed to get my hands on. > several tests are broken in scripts/policy/protocols/ssl > -------------------------------------------------------- > > Key: BIT-1467 > URL: https://bro-tracker.atlassian.net/browse/BIT-1467 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Johanna Amann > Priority: High > Fix For: 2.5 > > > Due to recent bug fixes in the btest repo (see BIT-1455), it was > discovered that several tests in the bro repo now fail due to problems > with their canonifier. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Fri Oct 2 12:20:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 2 Oct 2015 14:20:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1467: ------------------------------- Status: Merge Request (was: Open) Assignee: (was: Johanna Amann) > several tests are broken in scripts/policy/protocols/ssl > -------------------------------------------------------- > > Key: BIT-1467 > URL: https://bro-tracker.atlassian.net/browse/BIT-1467 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Priority: High > Fix For: 2.5 > > > Due to recent bug fixes in the btest repo (see BIT-1455), it was > discovered that several tests in the bro repo now fail due to problems > with their canonifier. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From noreply at bro.org Sat Oct 3 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 3 Oct 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510030700.t9370MRT005284@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- -------------------------------------------------------- BIT-1467 [1] Bro Daniel Thayer - 2015-10-02 2.5 High several tests are broken in scripts/policy/protocols/ssl Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------------- ---------- ---------------------------------------------------- 24ecb35 [2] bro-testing Vlad Grigorescu 2015-09-10 Add README.rst -> README symlink. Addresses BIT-1413 Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------- ------------- ---------- -------------------------------------------------- #6 [3] bro-plugins jswaro [4] 2015-10-02 Adding initial conversion of TCPRS to a plugin [5] #1 [6] broctl J-Gras [7] 2015-09-11 Added support for packet fanout load balancing [8] #3 [9] packet-bricks shirkdog [10] 2015-09-21 Add a check for FreeBSD in lua_interface.c [11] [1] BIT-1467 https://bro-tracker.atlassian.net/browse/BIT-1467 [2] 24ecb35 https://github.com/bro/bro-testing/commit/24ecb35f121e473bf7ff8e66b2e0c2ac68b4e6c0 [3] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config [9] Pull Request #3 https://github.com/bro/packet-bricks/pull/3 [10] shirkdog https://github.com/shirkdog [11] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/shirkdog/packet-bricks.git master From jira at bro-tracker.atlassian.net Sat Oct 3 07:49:00 2015 From: jira at bro-tracker.atlassian.net (Oman Security Officer (JIRA)) Date: Sat, 3 Oct 2015 09:49:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1488) ICMP analyser incorrectly handles ICMP connections In-Reply-To: References: Message-ID: Oman Security Officer created BIT-1488: ------------------------------------------ Summary: ICMP analyser incorrectly handles ICMP connections Key: BIT-1488 URL: https://bro-tracker.atlassian.net/browse/BIT-1488 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: 2.4 Environment: Security Onion 12.4 (Linux 3.13.0-63-generic #104~precise1-Ubuntu SMP x86_64 GNU/Linux) installed On VMware Workstation (10.0.3 build-1895310) running on Windows 8.1 Enterprise Reporter: Oman Security Officer Attachments: results.txt, test_icmp.bro I have been testing BRO scripts on DARPA 1998 dataset (Week 3 - Wednesday) TCPDUMP [https://www.ll.mit.edu/ideval/data/1998/training/week3/wednesday/tcpdump.gz]. This file contains a lot of ICMP packets. I was testing ICMP events in BRO to understand their role. * event *icmp_echo_request*(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) * event *icmp_echo_reply*(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) It seems that, the ICMP analyser does not handle the ICMP connections in the right way. I have noticed that, when I use those 2 events the "*c: connection*" variable does not return the right results. For example, the mentioned DARPA file contains the following ICMP traces between hosts 202.72.1.77 and 172.16.112.50. the exchanged packet are summarized in the following table: No. Time Source Destination Protocol Length Info {color:#f6c342}28076 898088609.998513 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf305 seq=0/0 ttl=63 28077 898088610.000822 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf305 seq=0/0 ttl=254 28150 898088612.998292 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf305 seq=256/1 ttl=63 28151 898088612.998641 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf305 seq=256/1 ttl=254 28669 898088644.998259 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf405 seq=0/0 ttl=63 28670 898088644.998652 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf405 seq=0/0 ttl=254 28682 898088647.998159 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf405 seq=256/1 ttl=63 28683 898088647.998566 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf405 seq=256/1 ttl=254{color} {color:#f79232}30478 898088768.759437 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf176 seq=0/0 ttl=63 30479 898088768.760917 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf176 seq=0/0 ttl=254 31016 898088797.366418 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf276 seq=0/0 ttl=63 31017 898088797.366861 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf276 seq=0/0 ttl=254{color} It can be seen that, there are 6 ICMP connections by exchanging 12 packets (6 Echo Requests and 6 Echo Replays). Whereas, Bro will handle them as 2 connections only making the final results inaccurate. I have found that, BRO will treat all requests and replays between timestamps 898088609.998513 and 898088647.998566 as *{color:#f6c342}one connection{color}* and between timestamps 898088768.759437 and 898088797.366861 as *{color:#f79232}another connection{color}*. The results of calling events *icmp_echo_request* and *icmp_echo_reply* on that file between the named hosts (202.72.1.77 and 172.16.112.50) can bee found in the attached file (results.txt) as well as the script file (test_icmp.bro). The following commands were called to obtain the results > wget -c https://www.ll.mit.edu/ideval/data/1998/training/week3/wednesday/tcpdump.gz > gzip -d < tcpdump.gz > week3_Wednesday.tcpdump > bro -r week3_Wednesday.tcpdump test_icmp.bro > results.txt -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From noreply at bro.org Sun Oct 4 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 4 Oct 2015 00:00:25 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510040700.t9470P4H014487@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- -------------------------------------------------------- BIT-1467 [1] Bro Daniel Thayer - 2015-10-02 2.5 High several tests are broken in scripts/policy/protocols/ssl Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------------- ---------- ---------------------------------------------------- 24ecb35 [2] bro-testing Vlad Grigorescu 2015-09-10 Add README.rst -> README symlink. Addresses BIT-1413 Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------- ------------- ---------- -------------------------------------------------- #6 [3] bro-plugins jswaro [4] 2015-10-02 Adding initial conversion of TCPRS to a plugin [5] #1 [6] broctl J-Gras [7] 2015-09-11 Added support for packet fanout load balancing [8] #3 [9] packet-bricks shirkdog [10] 2015-09-21 Add a check for FreeBSD in lua_interface.c [11] [1] BIT-1467 https://bro-tracker.atlassian.net/browse/BIT-1467 [2] 24ecb35 https://github.com/bro/bro-testing/commit/24ecb35f121e473bf7ff8e66b2e0c2ac68b4e6c0 [3] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config [9] Pull Request #3 https://github.com/bro/packet-bricks/pull/3 [10] shirkdog https://github.com/shirkdog [11] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/shirkdog/packet-bricks.git master From noreply at bro.org Mon Oct 5 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 5 Oct 2015 00:00:26 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510050700.t9570Qam030891@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- -------------------------------------------------------- BIT-1467 [1] Bro Daniel Thayer - 2015-10-02 2.5 High several tests are broken in scripts/policy/protocols/ssl Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------------- ---------- ---------------------------------------------------- 24ecb35 [2] bro-testing Vlad Grigorescu 2015-09-10 Add README.rst -> README symlink. Addresses BIT-1413 Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------- ------------- ---------- -------------------------------------------------- #6 [3] bro-plugins jswaro [4] 2015-10-05 Adding initial conversion of TCPRS to a plugin [5] #1 [6] broctl J-Gras [7] 2015-09-11 Added support for packet fanout load balancing [8] #3 [9] packet-bricks shirkdog [10] 2015-09-21 Add a check for FreeBSD in lua_interface.c [11] [1] BIT-1467 https://bro-tracker.atlassian.net/browse/BIT-1467 [2] 24ecb35 https://github.com/bro/bro-testing/commit/24ecb35f121e473bf7ff8e66b2e0c2ac68b4e6c0 [3] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config [9] Pull Request #3 https://github.com/bro/packet-bricks/pull/3 [10] shirkdog https://github.com/shirkdog [11] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/shirkdog/packet-bricks.git master From jira at bro-tracker.atlassian.net Mon Oct 5 09:16:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 5 Oct 2015 11:16:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1467: --------------------------------- Assignee: Robin Sommer > several tests are broken in scripts/policy/protocols/ssl > -------------------------------------------------------- > > Key: BIT-1467 > URL: https://bro-tracker.atlassian.net/browse/BIT-1467 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Robin Sommer > Priority: High > Fix For: 2.5 > > > Due to recent bug fixes in the btest repo (see BIT-1455), it was > discovered that several tests in the bro repo now fail due to problems > with their canonifier. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Mon Oct 5 15:44:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 5 Oct 2015 17:44:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1487: ------------------------------- Fix Version/s: 2.5 > protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response > -------------------------------------------------------------------------------------------------- > > Key: BIT-1487 > URL: https://bro-tracker.atlassian.net/browse/BIT-1487 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.4 > Reporter: Eric Karasuda > Fix For: 2.5 > > Attachments: http-connect.patch, http-connect.pcap, output-without-patch.tar.gz, output-with-patch.tar.gz > > > Failure scenario: > * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443 > * the server responds HTTP 200 > * the proxy adds a header to the server's response (e.g. "Proxy-agent: Apache/2.4.16 (Unix)" in the attached pcap). > * SSL handshake proceeds > * Bro fails to identify the SSL handshake > As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it instantiates a child analyzer and passes the rest of the server's response to the child. In particular, this means the "Proxy-agent" header is treated as the first data transmitted in the SSL handshake. As a result, protocol detection fails. > The attached patch remembers that the HTTP 200 was received and only instantiates the child analyzer when the newline is reached at the end of the HTTP message (e.g. after the "Proxy-agent" header). > Running {{bro -C -r http-connect.pcap}} with the attached pcap should output {{output-without-patch.tar.gz}} before applying the patch (note the absence of ssl.log) and should output {{output-with-patch.tar.gz}} after applying the patch. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Mon Oct 5 15:45:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 5 Oct 2015 17:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1487: ------------------------------- Status: Merge Request (was: Open) > protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response > -------------------------------------------------------------------------------------------------- > > Key: BIT-1487 > URL: https://bro-tracker.atlassian.net/browse/BIT-1487 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.4 > Reporter: Eric Karasuda > Fix For: 2.5 > > Attachments: http-connect.patch, http-connect.pcap, output-without-patch.tar.gz, output-with-patch.tar.gz > > > Failure scenario: > * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443 > * the server responds HTTP 200 > * the proxy adds a header to the server's response (e.g. "Proxy-agent: Apache/2.4.16 (Unix)" in the attached pcap). > * SSL handshake proceeds > * Bro fails to identify the SSL handshake > As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it instantiates a child analyzer and passes the rest of the server's response to the child. In particular, this means the "Proxy-agent" header is treated as the first data transmitted in the SSL handshake. As a result, protocol detection fails. > The attached patch remembers that the HTTP 200 was received and only instantiates the child analyzer when the newline is reached at the end of the HTTP message (e.g. after the "Proxy-agent" header). > Running {{bro -C -r http-connect.pcap}} with the attached pcap should output {{output-without-patch.tar.gz}} before applying the patch (note the absence of ssl.log) and should output {{output-with-patch.tar.gz}} after applying the patch. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From noreply at bro.org Tue Oct 6 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 6 Oct 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510060700.t9670M4J008193@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1487 [1] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response BIT-1467 [2] Bro Daniel Thayer Robin Sommer 2015-10-05 2.5 High several tests are broken in scripts/policy/protocols/ssl Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- -------------------------------------------------- #6 [3] bro-plugins jswaro [4] 2015-10-06 Adding initial conversion of TCPRS to a plugin [5] #1 [6] broctl J-Gras [7] 2015-09-11 Added support for packet fanout load balancing [8] [1] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [2] BIT-1467 https://bro-tracker.atlassian.net/browse/BIT-1467 [3] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Tue Oct 6 07:21:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 6 Oct 2015 09:21:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1467: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > several tests are broken in scripts/policy/protocols/ssl > -------------------------------------------------------- > > Key: BIT-1467 > URL: https://bro-tracker.atlassian.net/browse/BIT-1467 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Robin Sommer > Priority: High > Fix For: 2.5 > > > Due to recent bug fixes in the btest repo (see BIT-1455), it was > discovered that several tests in the bro repo now fail due to problems > with their canonifier. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From noreply at bro.org Wed Oct 7 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 7 Oct 2015 00:00:25 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510070700.t9770PY2019315@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1487 [1] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- -------------------------------------------------- #6 [2] bro-plugins jswaro [3] 2015-10-06 Adding initial conversion of TCPRS to a plugin [4] #1 [5] broctl J-Gras [6] 2015-09-11 Added support for packet fanout load balancing [7] [1] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [2] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [3] jswaro https://github.com/jswaro [4] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [5] Pull Request #1 https://github.com/bro/broctl/pull/1 [6] J-Gras https://github.com/J-Gras [7] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Wed Oct 7 01:46:00 2015 From: jira at bro-tracker.atlassian.net (Oman Security Officer (JIRA)) Date: Wed, 7 Oct 2015 03:46:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1488) ICMP analyser incorrectly handles ICMP connections In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1488?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Oman Security Officer updated BIT-1488: --------------------------------------- Status: Merge Request (was: Open) > ICMP analyser incorrectly handles ICMP connections > -------------------------------------------------- > > Key: BIT-1488 > URL: https://bro-tracker.atlassian.net/browse/BIT-1488 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Environment: Security Onion 12.4 (Linux 3.13.0-63-generic #104~precise1-Ubuntu SMP x86_64 GNU/Linux) installed On VMware Workstation (10.0.3 build-1895310) running on Windows 8.1 Enterprise > Reporter: Oman Security Officer > Labels: analyzer > Attachments: results.txt, test_icmp.bro > > > I have been testing BRO scripts on DARPA 1998 dataset (Week 3 - Wednesday) TCPDUMP [https://www.ll.mit.edu/ideval/data/1998/training/week3/wednesday/tcpdump.gz]. This file contains a lot of ICMP packets. I was testing ICMP events in BRO to understand their role. > * event *icmp_echo_request*(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) > * event *icmp_echo_reply*(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) > It seems that, the ICMP analyser does not handle the ICMP connections in the right way. I have noticed that, when I use those 2 events the "*c: connection*" variable does not return the right results. > For example, the mentioned DARPA file contains the following ICMP traces between hosts 202.72.1.77 and 172.16.112.50. the exchanged packet are summarized in the following table: > No. Time Source Destination Protocol Length Info > {color:#f6c342}28076 898088609.998513 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf305 seq=0/0 ttl=63 > 28077 898088610.000822 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf305 seq=0/0 ttl=254 > 28150 898088612.998292 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf305 seq=256/1 ttl=63 > 28151 898088612.998641 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf305 seq=256/1 ttl=254 > 28669 898088644.998259 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf405 seq=0/0 ttl=63 > 28670 898088644.998652 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf405 seq=0/0 ttl=254 > 28682 898088647.998159 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf405 seq=256/1 ttl=63 > 28683 898088647.998566 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf405 seq=256/1 ttl=254{color} > {color:#f79232}30478 898088768.759437 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf176 seq=0/0 ttl=63 > 30479 898088768.760917 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf176 seq=0/0 ttl=254 > 31016 898088797.366418 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf276 seq=0/0 ttl=63 > 31017 898088797.366861 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf276 seq=0/0 ttl=254{color} > It can be seen that, there are 6 ICMP connections by exchanging 12 packets (6 Echo Requests and 6 Echo Replays). Whereas, Bro will handle them as 2 connections only making the final results inaccurate. > I have found that, BRO will treat all requests and replays between timestamps 898088609.998513 and 898088647.998566 as *{color:#f6c342}one connection{color}* and between timestamps 898088768.759437 and 898088797.366861 as *{color:#f79232}another connection{color}*. > The results of calling events *icmp_echo_request* and *icmp_echo_reply* on that file between the named hosts (202.72.1.77 and 172.16.112.50) can bee found in the attached file (results.txt) as well as the script file (test_icmp.bro). > The following commands were called to obtain the results > > wget -c https://www.ll.mit.edu/ideval/data/1998/training/week3/wednesday/tcpdump.gz > > gzip -d < tcpdump.gz > week3_Wednesday.tcpdump > > bro -r week3_Wednesday.tcpdump test_icmp.bro > results.txt -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Wed Oct 7 14:35:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 7 Oct 2015 16:35:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1489: ---------------------------------- Summary: topic/dnthayer/ticket1396 Key: BIT-1489 URL: https://bro-tracker.atlassian.net/browse/BIT-1489 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended to address BIT-1396 (logs disappearing on broctl restart). Most of the commits in this branch are aimed at making it easier to diagnose such problems in the future. The most user-visible changes are: 1) post-terminate will now send an email if it fails to archive any logs, 2) post-terminate will now re-try to archive logs that previously failed to be archived, 3) improvements to some error messages, 4) better sanity checking of config values, 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Wed Oct 7 14:38:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 7 Oct 2015 16:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1489: ------------------------------- Status: Merge Request (was: Open) > topic/dnthayer/ticket1396 > ------------------------- > > Key: BIT-1489 > URL: https://bro-tracker.atlassian.net/browse/BIT-1489 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.5 > > > Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended > to address BIT-1396 (logs disappearing on broctl restart). Most of the commits > in this branch are aimed at making it easier to diagnose such problems > in the future. The most user-visible changes are: > 1) post-terminate will now send an email if it fails to archive any logs, > 2) post-terminate will now re-try to archive logs that previously failed to be archived, > 3) improvements to some error messages, > 4) better sanity checking of config values, > 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Wed Oct 7 14:38:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 7 Oct 2015 16:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1489: ------------------------------- Fix Version/s: 2.5 > topic/dnthayer/ticket1396 > ------------------------- > > Key: BIT-1489 > URL: https://bro-tracker.atlassian.net/browse/BIT-1489 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.5 > > > Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended > to address BIT-1396 (logs disappearing on broctl restart). Most of the commits > in this branch are aimed at making it easier to diagnose such problems > in the future. The most user-visible changes are: > 1) post-terminate will now send an email if it fails to archive any logs, > 2) post-terminate will now re-try to archive logs that previously failed to be archived, > 3) improvements to some error messages, > 4) better sanity checking of config values, > 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Wed Oct 7 14:38:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 7 Oct 2015 16:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1489: ---------------------------------- Assignee: Justin Azoff > topic/dnthayer/ticket1396 > ------------------------- > > Key: BIT-1489 > URL: https://bro-tracker.atlassian.net/browse/BIT-1489 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended > to address BIT-1396 (logs disappearing on broctl restart). Most of the commits > in this branch are aimed at making it easier to diagnose such problems > in the future. The most user-visible changes are: > 1) post-terminate will now send an email if it fails to archive any logs, > 2) post-terminate will now re-try to archive logs that previously failed to be archived, > 3) improvements to some error messages, > 4) better sanity checking of config values, > 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From noreply at bro.org Thu Oct 8 00:00:27 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 8 Oct 2015 00:00:27 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510080700.t9870RtV023059@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- --------------------------------------------------- #6 [5] bro-plugins jswaro [6] 2015-10-06 Adding initial conversion of TCPRS to a plugin [7] #1 [8] broctl J-Gras [9] 2015-09-11 Added support for packet fanout load balancing [10] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [8] Pull Request #1 https://github.com/bro/broctl/pull/1 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Fri Oct 9 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 9 Oct 2015 00:00:24 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510090700.t9970O2D013901@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- --------------------------------------------------- #6 [5] bro-plugins jswaro [6] 2015-10-06 Adding initial conversion of TCPRS to a plugin [7] #1 [8] broctl J-Gras [9] 2015-10-08 Added support for packet fanout load balancing [10] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [8] Pull Request #1 https://github.com/bro/broctl/pull/1 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Fri Oct 9 11:47:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 9 Oct 2015 13:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: Seth Hall created BIT-1490: ------------------------------ Summary: Need ability to expire logs with more granularity than #days. Key: BIT-1490 URL: https://bro-tracker.atlassian.net/browse/BIT-1490 Project: Bro Issue Tracker Issue Type: Improvement Components: BroControl Affects Versions: git/master Reporter: Seth Hall Priority: Low There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Fri Oct 9 13:47:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 9 Oct 2015 15:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22420#comment-22420 ] Daniel Thayer commented on BIT-1490: ------------------------------------ Is the finer granularity only needed for intervals smaller than 1 day? > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Priority: Low > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From jira at bro-tracker.atlassian.net Fri Oct 9 18:54:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 9 Oct 2015 20:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22421#comment-22421 ] Seth Hall commented on BIT-1490: -------------------------------- For the particular user I was talking to today they needed less than one day. I would have made this change myself, but I thought it probably required a bit of discussion on if it's worth adding and how exactly it should be done. > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Priority: Low > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) From noreply at bro.org Sat Oct 10 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 10 Oct 2015 00:00:23 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510100700.t9A70N1I008621@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- --------------------------------------------------- #6 [5] bro-plugins jswaro [6] 2015-10-06 Adding initial conversion of TCPRS to a plugin [7] #1 [8] broctl J-Gras [9] 2015-10-08 Added support for packet fanout load balancing [10] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [8] Pull Request #1 https://github.com/bro/broctl/pull/1 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Sun Oct 11 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 11 Oct 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510110700.t9B70Lcv022943@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- --------------------------------------------------- #6 [5] bro-plugins jswaro [6] 2015-10-06 Adding initial conversion of TCPRS to a plugin [7] #1 [8] broctl J-Gras [9] 2015-10-08 Added support for packet fanout load balancing [10] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [8] Pull Request #1 https://github.com/bro/broctl/pull/1 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Mon Oct 12 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 12 Oct 2015 00:00:26 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510120700.t9C70Qxi008371@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- --------------------------------------------------- #6 [5] bro-plugins jswaro [6] 2015-10-06 Adding initial conversion of TCPRS to a plugin [7] #1 [8] broctl J-Gras [9] 2015-10-08 Added support for packet fanout load balancing [10] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [8] Pull Request #1 https://github.com/bro/broctl/pull/1 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Mon Oct 12 11:15:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Mon, 12 Oct 2015 13:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1490: ---------------------------------- Assignee: Daniel Thayer > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-001#70107) From jira at bro-tracker.atlassian.net Mon Oct 12 12:31:00 2015 From: jira at bro-tracker.atlassian.net (ronald Hill (JIRA)) Date: Mon, 12 Oct 2015 14:31:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1491) trying to change configuration of archieved log file to not save in a .gz format. I dont want to the logs zipped for testing in a small environment. Where can I change this configuration. Thanks. In-Reply-To: References: Message-ID: ronald Hill created BIT-1491: --------------------------------- Summary: trying to change configuration of archieved log file to not save in a .gz format. I dont want to the logs zipped for testing in a small environment. Where can I change this configuration. Thanks. Key: BIT-1491 URL: https://bro-tracker.atlassian.net/browse/BIT-1491 Project: Bro Issue Tracker Issue Type: Task Components: Bro Affects Versions: 2.4 Environment: bro installed on ubuntu 12.04 Reporter: ronald Hill -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-001#70107) From jira at bro-tracker.atlassian.net Mon Oct 12 15:59:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Mon, 12 Oct 2015 17:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22500#comment-22500 ] Daniel Thayer commented on BIT-1490: ------------------------------------ Branch "topic/dnthayer/ticket1490" in the broctl repo changes the LogExpireInterval option to accept a value that is a time interval, such as "30min", "12hr", or "7day". A value of 0 still means do not expire logs. An integer without a time unit still means "days" (so that users can still use their old config files). > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-001#70107) From noreply at bro.org Tue Oct 13 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 13 Oct 2015 00:00:23 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510130700.t9D70NvB031586@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- --------------------------------------------------- #6 [5] bro-plugins jswaro [6] 2015-10-06 Adding initial conversion of TCPRS to a plugin [7] #1 [8] broctl J-Gras [9] 2015-10-08 Added support for packet fanout load balancing [10] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [8] Pull Request #1 https://github.com/bro/broctl/pull/1 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Tue Oct 13 05:47:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Tue, 13 Oct 2015 07:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1482) Crash from: "tcmalloc: large alloc" In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Aaron Eppert updated BIT-1482: ------------------------------ Attachment: redacted-crash-diag.log.bz2 > Crash from: "tcmalloc: large alloc" > ----------------------------------- > > Key: BIT-1482 > URL: https://bro-tracker.atlassian.net/browse/BIT-1482 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Aaron Eppert > Attachments: redacted-crash-diag.log.bz2 > > > core.91861 > [New Thread 91861] > [New Thread 91871] > [New Thread 91872] > [New Thread 91873] > [Thread debugging using libthread_db enabled] > Core was generated by `/usr/local/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p'. > Program terminated with signal 11, Segmentation fault. > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > in /mnt/hgfs/src/psdev/bro/src/Serializer.h > Thread 4 (Thread 0x7fb7ce219700 (LWP 91873)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e10c38) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 3 (Thread 0x7fb7cec1a700 (LWP 91872)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e11838) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 2 (Thread 0x7fb7cf61b700 (LWP 91871)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e12438) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 1 (Thread 0x7fb84fc06800 (LWP 91861)): > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > #1 0x0000000000817fb4 in SerialObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:268 > #2 0x00000000007e1be2 in BroObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Obj.cc:226 > #3 0x00000000008459b4 in BroType::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:283 > #4 0x000000000081788a in SerialObj::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #5 0x0000000000845670 in BroType::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #6 0x0000000000742c72 in Attributes::DoSerialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #7 0x000000000081788a in SerialObj::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #8 0x0000000000742b1b in Attributes::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #9 0x0000000000848ab5 in TypeDecl::Serialize (this=0x2c05ec0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #10 0x000000000084a01a in RecordType::DoSerialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #11 0x000000000081788a in SerialObj::Serialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > ... (pattern repeats .... ) > ... > #116924 0x0000000000845670 in BroType::Serialize (this=0x4740480, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116925 0x0000000000742c72 in Attributes::DoSerialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116926 0x000000000081788a in SerialObj::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116927 0x0000000000742b1b in Attributes::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116928 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47eae00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116929 0x000000000084a01a in RecordType::DoSerialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116930 0x000000000081788a in SerialObj::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116931 0x0000000000845670 in BroType::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116932 0x0000000000742c72 in Attributes::DoSerialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116933 0x000000000081788a in SerialObj::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116934 0x0000000000742b1b in Attributes::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116935 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47e81c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116936 0x000000000084a01a in RecordType::DoSerialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116937 0x000000000081788a in SerialObj::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116938 0x0000000000845670 in BroType::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116939 0x0000000000854a9e in Val::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:188 > #116940 0x00000000008562bc in MutableVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:656 > #116941 0x000000000085efb2 in RecordVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:2813 > #116942 0x000000000081788a in SerialObj::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116943 0x0000000000854643 in Val::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:100 > #116944 0x0000000000854511 in Val::Clone (this=0x6b92760) at /mnt/hgfs/src/psdev/bro/src/Val.cc:83 > #116945 0x00000000007a4d91 in Frame::Clone (this=0x8b612d0) at /mnt/hgfs/src/psdev/bro/src/Frame.cc:78 > #116946 0x0000000000841676 in Trigger::Trigger (this=0x2b79dc0, arg_cond=0x4ae81c0, arg_body=0x4af3600, arg_timeout_stmts=0x0, arg_timeout=0x0, arg_frame=0x8b612d0, arg_is_return=false, arg_location=0x4b4d280) at /mnt/hgfs/src/psdev/bro/src/Trigger.cc:108 > #116947 0x000000000083db0e in WhenStmt::Exec (this=0x4b3eba0, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:2166 > #116948 0x000000000083c17b in StmtList::Exec (this=0x4af4260, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116949 0x000000000083c17b in StmtList::Exec (this=0x4b56540, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116950 0x00000000007a649b in BroFunc::Call (this=0x3099030, args=0x82c33e0, parent=0x0) at /mnt/hgfs/src/psdev/bro/src/Func.cc:386 > #116951 0x000000000077f12e in EventHandler::Call (this=0x3084600, vl=0x82c33e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/EventHandler.cc:80 > #116952 0x0000000000732965 in Event::Dispatch (this=0xb5004e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/Event.h:50 > #116953 0x000000000077e85d in EventMgr::Dispatch (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:111 > #116954 0x000000000077e968 in EventMgr::Drain (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:128 > #116955 0x00000000007ddd66 in net_packet_dispatch (t=1442838074.400739, hdr=0x4d73140, pkt=0x7fb7db8622fc
, hdr_size=14, src_ps=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/Net.cc:278 > #116956 0x0000000000af1ed6 in iosource::PktSrc::Process (this=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/iosource/PktSrc.cc:411 > #116957 0x00000000007ddf6f in net_run () at /mnt/hgfs/src/psdev/bro/src/Net.cc:320 > #116958 0x00000000007319aa in main (argc=18, argv=0x7ffde1aa3af8) at /mnt/hgfs/src/psdev/bro/src/main.cc:1200 > ==== No reporter.log > ==== stderr.log > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: GNU General Public License for more details. > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: You should have received a copy of the GNU General Public License > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: along with tcplog. If not, see . > listening on eth1, capture length 65535 bytes > processing suspended > processing continued > tcmalloc: large alloc 1562509312 bytes == 0x498f0000 @ 0x7fb85004b4ac 0x7fb85006b22c 0x73b0e5 0x815270 0x81627e 0x7437f8 0x742ddd 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x848b3b 0x84a01a 0x81788a 0x845670 0x846db0 0x84759e 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b > /usr/local/bro/share/broctl/scripts/run-bro: line 85: 91861 Segmentation fault (core dumped) nohup ${pin_command} $pin_cpu $mybro "$@" > ---- > (gdb) frame 0 > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") > at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > 57 DECLARE_IO(uint16) > (gdb) print *this > $8 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, format = 0x89def00, > current_cache = 0x0, error_descr = 0x0} > (gdb) print *this > $10 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, > format = 0x89def00, current_cache = 0x0, error_descr = 0x0} > (gdb) print *this->format > $11 = {_vptr.SerializationFormat = 0xb74dd0, static INITIAL_SIZE = 65536, static GROWTH_FACTOR = 2.5, > output = 0x498f0000 "\001", output_size = 1562499968, output_pos = 852829181, input = 0x0, input_len = 0, input_pos = 0, > bytes_written = 852829181, bytes_read = 0} > The stack trace and the problem seems to be similar to: > http://mailman.icsi.berkeley.edu/pipermail/bro/2015-March/008241.html -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-001#70107) From jira at bro-tracker.atlassian.net Tue Oct 13 05:47:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Tue, 13 Oct 2015 07:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1482) Crash from: "tcmalloc: large alloc" In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22501#comment-22501 ] Aaron Eppert commented on BIT-1482: ----------------------------------- I have another from 2.4.1 that is attached. The issue that is of concern shows up in Thread 1. The rest of the threads aren't the actual root cause and are simply effected by Thread 1. Any insight would be greatly appreciated. [^redacted-crash-diag.log] > Crash from: "tcmalloc: large alloc" > ----------------------------------- > > Key: BIT-1482 > URL: https://bro-tracker.atlassian.net/browse/BIT-1482 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Aaron Eppert > Attachments: redacted-crash-diag.log.bz2 > > > core.91861 > [New Thread 91861] > [New Thread 91871] > [New Thread 91872] > [New Thread 91873] > [Thread debugging using libthread_db enabled] > Core was generated by `/usr/local/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p'. > Program terminated with signal 11, Segmentation fault. > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > in /mnt/hgfs/src/psdev/bro/src/Serializer.h > Thread 4 (Thread 0x7fb7ce219700 (LWP 91873)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e10c38) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 3 (Thread 0x7fb7cec1a700 (LWP 91872)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e11838) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 2 (Thread 0x7fb7cf61b700 (LWP 91871)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e12438) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 1 (Thread 0x7fb84fc06800 (LWP 91861)): > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > #1 0x0000000000817fb4 in SerialObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:268 > #2 0x00000000007e1be2 in BroObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Obj.cc:226 > #3 0x00000000008459b4 in BroType::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:283 > #4 0x000000000081788a in SerialObj::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #5 0x0000000000845670 in BroType::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #6 0x0000000000742c72 in Attributes::DoSerialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #7 0x000000000081788a in SerialObj::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #8 0x0000000000742b1b in Attributes::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #9 0x0000000000848ab5 in TypeDecl::Serialize (this=0x2c05ec0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #10 0x000000000084a01a in RecordType::DoSerialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #11 0x000000000081788a in SerialObj::Serialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > ... (pattern repeats .... ) > ... > #116924 0x0000000000845670 in BroType::Serialize (this=0x4740480, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116925 0x0000000000742c72 in Attributes::DoSerialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116926 0x000000000081788a in SerialObj::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116927 0x0000000000742b1b in Attributes::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116928 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47eae00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116929 0x000000000084a01a in RecordType::DoSerialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116930 0x000000000081788a in SerialObj::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116931 0x0000000000845670 in BroType::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116932 0x0000000000742c72 in Attributes::DoSerialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116933 0x000000000081788a in SerialObj::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116934 0x0000000000742b1b in Attributes::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116935 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47e81c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116936 0x000000000084a01a in RecordType::DoSerialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116937 0x000000000081788a in SerialObj::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116938 0x0000000000845670 in BroType::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116939 0x0000000000854a9e in Val::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:188 > #116940 0x00000000008562bc in MutableVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:656 > #116941 0x000000000085efb2 in RecordVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:2813 > #116942 0x000000000081788a in SerialObj::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116943 0x0000000000854643 in Val::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:100 > #116944 0x0000000000854511 in Val::Clone (this=0x6b92760) at /mnt/hgfs/src/psdev/bro/src/Val.cc:83 > #116945 0x00000000007a4d91 in Frame::Clone (this=0x8b612d0) at /mnt/hgfs/src/psdev/bro/src/Frame.cc:78 > #116946 0x0000000000841676 in Trigger::Trigger (this=0x2b79dc0, arg_cond=0x4ae81c0, arg_body=0x4af3600, arg_timeout_stmts=0x0, arg_timeout=0x0, arg_frame=0x8b612d0, arg_is_return=false, arg_location=0x4b4d280) at /mnt/hgfs/src/psdev/bro/src/Trigger.cc:108 > #116947 0x000000000083db0e in WhenStmt::Exec (this=0x4b3eba0, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:2166 > #116948 0x000000000083c17b in StmtList::Exec (this=0x4af4260, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116949 0x000000000083c17b in StmtList::Exec (this=0x4b56540, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116950 0x00000000007a649b in BroFunc::Call (this=0x3099030, args=0x82c33e0, parent=0x0) at /mnt/hgfs/src/psdev/bro/src/Func.cc:386 > #116951 0x000000000077f12e in EventHandler::Call (this=0x3084600, vl=0x82c33e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/EventHandler.cc:80 > #116952 0x0000000000732965 in Event::Dispatch (this=0xb5004e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/Event.h:50 > #116953 0x000000000077e85d in EventMgr::Dispatch (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:111 > #116954 0x000000000077e968 in EventMgr::Drain (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:128 > #116955 0x00000000007ddd66 in net_packet_dispatch (t=1442838074.400739, hdr=0x4d73140, pkt=0x7fb7db8622fc
, hdr_size=14, src_ps=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/Net.cc:278 > #116956 0x0000000000af1ed6 in iosource::PktSrc::Process (this=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/iosource/PktSrc.cc:411 > #116957 0x00000000007ddf6f in net_run () at /mnt/hgfs/src/psdev/bro/src/Net.cc:320 > #116958 0x00000000007319aa in main (argc=18, argv=0x7ffde1aa3af8) at /mnt/hgfs/src/psdev/bro/src/main.cc:1200 > ==== No reporter.log > ==== stderr.log > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: GNU General Public License for more details. > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: You should have received a copy of the GNU General Public License > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: along with tcplog. If not, see . > listening on eth1, capture length 65535 bytes > processing suspended > processing continued > tcmalloc: large alloc 1562509312 bytes == 0x498f0000 @ 0x7fb85004b4ac 0x7fb85006b22c 0x73b0e5 0x815270 0x81627e 0x7437f8 0x742ddd 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x848b3b 0x84a01a 0x81788a 0x845670 0x846db0 0x84759e 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b > /usr/local/bro/share/broctl/scripts/run-bro: line 85: 91861 Segmentation fault (core dumped) nohup ${pin_command} $pin_cpu $mybro "$@" > ---- > (gdb) frame 0 > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") > at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > 57 DECLARE_IO(uint16) > (gdb) print *this > $8 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, format = 0x89def00, > current_cache = 0x0, error_descr = 0x0} > (gdb) print *this > $10 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, > format = 0x89def00, current_cache = 0x0, error_descr = 0x0} > (gdb) print *this->format > $11 = {_vptr.SerializationFormat = 0xb74dd0, static INITIAL_SIZE = 65536, static GROWTH_FACTOR = 2.5, > output = 0x498f0000 "\001", output_size = 1562499968, output_pos = 852829181, input = 0x0, input_len = 0, input_pos = 0, > bytes_written = 852829181, bytes_read = 0} > The stack trace and the problem seems to be similar to: > http://mailman.icsi.berkeley.edu/pipermail/bro/2015-March/008241.html -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-001#70107) From jira at bro-tracker.atlassian.net Tue Oct 13 10:00:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Tue, 13 Oct 2015 12:00:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1482) Crash from: "tcmalloc: large alloc" In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22501#comment-22501 ] Aaron Eppert edited comment on BIT-1482 at 10/13/15 11:59 AM: -------------------------------------------------------------- I have another from 2.4.1 that is attached. The issue that is of concern shows up in Thread 1. The rest of the threads aren't the actual root cause and are simply effected by Thread 1. Any insight would be greatly appreciated. [^redacted-crash-diag.log] Through the several crashes I have of this kind, they all seem to bowl down to: #116926 0x00000000007d86de in EventHandler::Call (this=0x37b1540, vl=0x17005fa0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/EventHandler.cc:130 warning: Source file is more recent than executable. 130 Unref(local->Call(vl)); (gdb) print *this $1 = {name = 0x3607200 "ssl_established", local = 0x37c2370, type = 0x0, used = true, enabled = true, error_handler = false, generate_always = false, receivers = { = {entry = 0x37a73a0, chunk_size = 10, max_entries = 10, num_entries = 0}, }} This appears to be the correlating event. was (Author: aeppert): I have another from 2.4.1 that is attached. The issue that is of concern shows up in Thread 1. The rest of the threads aren't the actual root cause and are simply effected by Thread 1. Any insight would be greatly appreciated. [^redacted-crash-diag.log] > Crash from: "tcmalloc: large alloc" > ----------------------------------- > > Key: BIT-1482 > URL: https://bro-tracker.atlassian.net/browse/BIT-1482 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Aaron Eppert > Attachments: redacted-crash-diag.log.bz2 > > > core.91861 > [New Thread 91861] > [New Thread 91871] > [New Thread 91872] > [New Thread 91873] > [Thread debugging using libthread_db enabled] > Core was generated by `/usr/local/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p'. > Program terminated with signal 11, Segmentation fault. > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > in /mnt/hgfs/src/psdev/bro/src/Serializer.h > Thread 4 (Thread 0x7fb7ce219700 (LWP 91873)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e10c38) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 3 (Thread 0x7fb7cec1a700 (LWP 91872)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e11838) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 2 (Thread 0x7fb7cf61b700 (LWP 91871)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e12438) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 1 (Thread 0x7fb84fc06800 (LWP 91861)): > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > #1 0x0000000000817fb4 in SerialObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:268 > #2 0x00000000007e1be2 in BroObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Obj.cc:226 > #3 0x00000000008459b4 in BroType::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:283 > #4 0x000000000081788a in SerialObj::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #5 0x0000000000845670 in BroType::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #6 0x0000000000742c72 in Attributes::DoSerialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #7 0x000000000081788a in SerialObj::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #8 0x0000000000742b1b in Attributes::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #9 0x0000000000848ab5 in TypeDecl::Serialize (this=0x2c05ec0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #10 0x000000000084a01a in RecordType::DoSerialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #11 0x000000000081788a in SerialObj::Serialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > ... (pattern repeats .... ) > ... > #116924 0x0000000000845670 in BroType::Serialize (this=0x4740480, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116925 0x0000000000742c72 in Attributes::DoSerialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116926 0x000000000081788a in SerialObj::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116927 0x0000000000742b1b in Attributes::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116928 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47eae00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116929 0x000000000084a01a in RecordType::DoSerialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116930 0x000000000081788a in SerialObj::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116931 0x0000000000845670 in BroType::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116932 0x0000000000742c72 in Attributes::DoSerialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116933 0x000000000081788a in SerialObj::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116934 0x0000000000742b1b in Attributes::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116935 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47e81c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116936 0x000000000084a01a in RecordType::DoSerialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116937 0x000000000081788a in SerialObj::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116938 0x0000000000845670 in BroType::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116939 0x0000000000854a9e in Val::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:188 > #116940 0x00000000008562bc in MutableVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:656 > #116941 0x000000000085efb2 in RecordVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:2813 > #116942 0x000000000081788a in SerialObj::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116943 0x0000000000854643 in Val::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:100 > #116944 0x0000000000854511 in Val::Clone (this=0x6b92760) at /mnt/hgfs/src/psdev/bro/src/Val.cc:83 > #116945 0x00000000007a4d91 in Frame::Clone (this=0x8b612d0) at /mnt/hgfs/src/psdev/bro/src/Frame.cc:78 > #116946 0x0000000000841676 in Trigger::Trigger (this=0x2b79dc0, arg_cond=0x4ae81c0, arg_body=0x4af3600, arg_timeout_stmts=0x0, arg_timeout=0x0, arg_frame=0x8b612d0, arg_is_return=false, arg_location=0x4b4d280) at /mnt/hgfs/src/psdev/bro/src/Trigger.cc:108 > #116947 0x000000000083db0e in WhenStmt::Exec (this=0x4b3eba0, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:2166 > #116948 0x000000000083c17b in StmtList::Exec (this=0x4af4260, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116949 0x000000000083c17b in StmtList::Exec (this=0x4b56540, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116950 0x00000000007a649b in BroFunc::Call (this=0x3099030, args=0x82c33e0, parent=0x0) at /mnt/hgfs/src/psdev/bro/src/Func.cc:386 > #116951 0x000000000077f12e in EventHandler::Call (this=0x3084600, vl=0x82c33e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/EventHandler.cc:80 > #116952 0x0000000000732965 in Event::Dispatch (this=0xb5004e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/Event.h:50 > #116953 0x000000000077e85d in EventMgr::Dispatch (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:111 > #116954 0x000000000077e968 in EventMgr::Drain (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:128 > #116955 0x00000000007ddd66 in net_packet_dispatch (t=1442838074.400739, hdr=0x4d73140, pkt=0x7fb7db8622fc
, hdr_size=14, src_ps=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/Net.cc:278 > #116956 0x0000000000af1ed6 in iosource::PktSrc::Process (this=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/iosource/PktSrc.cc:411 > #116957 0x00000000007ddf6f in net_run () at /mnt/hgfs/src/psdev/bro/src/Net.cc:320 > #116958 0x00000000007319aa in main (argc=18, argv=0x7ffde1aa3af8) at /mnt/hgfs/src/psdev/bro/src/main.cc:1200 > ==== No reporter.log > ==== stderr.log > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: GNU General Public License for more details. > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: You should have received a copy of the GNU General Public License > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: along with tcplog. If not, see . > listening on eth1, capture length 65535 bytes > processing suspended > processing continued > tcmalloc: large alloc 1562509312 bytes == 0x498f0000 @ 0x7fb85004b4ac 0x7fb85006b22c 0x73b0e5 0x815270 0x81627e 0x7437f8 0x742ddd 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x848b3b 0x84a01a 0x81788a 0x845670 0x846db0 0x84759e 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b > /usr/local/bro/share/broctl/scripts/run-bro: line 85: 91861 Segmentation fault (core dumped) nohup ${pin_command} $pin_cpu $mybro "$@" > ---- > (gdb) frame 0 > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") > at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > 57 DECLARE_IO(uint16) > (gdb) print *this > $8 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, format = 0x89def00, > current_cache = 0x0, error_descr = 0x0} > (gdb) print *this > $10 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, > format = 0x89def00, current_cache = 0x0, error_descr = 0x0} > (gdb) print *this->format > $11 = {_vptr.SerializationFormat = 0xb74dd0, static INITIAL_SIZE = 65536, static GROWTH_FACTOR = 2.5, > output = 0x498f0000 "\001", output_size = 1562499968, output_pos = 852829181, input = 0x0, input_len = 0, input_pos = 0, > bytes_written = 852829181, bytes_read = 0} > The stack trace and the problem seems to be similar to: > http://mailman.icsi.berkeley.edu/pipermail/bro/2015-March/008241.html -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-001#70107) From jira at bro-tracker.atlassian.net Tue Oct 13 16:11:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Tue, 13 Oct 2015 18:11:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1482) Crash from: "tcmalloc: large alloc" In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22502#comment-22502 ] Aaron Eppert commented on BIT-1482: ----------------------------------- Not loading "protocols/ssl/notary" seems to "fix" the problem. This is occurring in a VM that is moderately undersized with only 4GB of RAM and two cores. I am curious if it has anything to do with "when ( local str = lookup_hostname_txt(fmt("%s.%s", digest, domain)) )" and possibly being a DNS issue? > Crash from: "tcmalloc: large alloc" > ----------------------------------- > > Key: BIT-1482 > URL: https://bro-tracker.atlassian.net/browse/BIT-1482 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Aaron Eppert > Attachments: redacted-crash-diag.log.bz2 > > > core.91861 > [New Thread 91861] > [New Thread 91871] > [New Thread 91872] > [New Thread 91873] > [Thread debugging using libthread_db enabled] > Core was generated by `/usr/local/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p'. > Program terminated with signal 11, Segmentation fault. > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > in /mnt/hgfs/src/psdev/bro/src/Serializer.h > Thread 4 (Thread 0x7fb7ce219700 (LWP 91873)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e10c38) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 3 (Thread 0x7fb7cec1a700 (LWP 91872)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e11838) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 2 (Thread 0x7fb7cf61b700 (LWP 91871)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e12438) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 1 (Thread 0x7fb84fc06800 (LWP 91861)): > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > #1 0x0000000000817fb4 in SerialObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:268 > #2 0x00000000007e1be2 in BroObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Obj.cc:226 > #3 0x00000000008459b4 in BroType::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:283 > #4 0x000000000081788a in SerialObj::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #5 0x0000000000845670 in BroType::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #6 0x0000000000742c72 in Attributes::DoSerialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #7 0x000000000081788a in SerialObj::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #8 0x0000000000742b1b in Attributes::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #9 0x0000000000848ab5 in TypeDecl::Serialize (this=0x2c05ec0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #10 0x000000000084a01a in RecordType::DoSerialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #11 0x000000000081788a in SerialObj::Serialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > ... (pattern repeats .... ) > ... > #116924 0x0000000000845670 in BroType::Serialize (this=0x4740480, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116925 0x0000000000742c72 in Attributes::DoSerialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116926 0x000000000081788a in SerialObj::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116927 0x0000000000742b1b in Attributes::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116928 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47eae00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116929 0x000000000084a01a in RecordType::DoSerialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116930 0x000000000081788a in SerialObj::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116931 0x0000000000845670 in BroType::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116932 0x0000000000742c72 in Attributes::DoSerialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116933 0x000000000081788a in SerialObj::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116934 0x0000000000742b1b in Attributes::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116935 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47e81c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116936 0x000000000084a01a in RecordType::DoSerialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116937 0x000000000081788a in SerialObj::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116938 0x0000000000845670 in BroType::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116939 0x0000000000854a9e in Val::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:188 > #116940 0x00000000008562bc in MutableVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:656 > #116941 0x000000000085efb2 in RecordVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:2813 > #116942 0x000000000081788a in SerialObj::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116943 0x0000000000854643 in Val::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:100 > #116944 0x0000000000854511 in Val::Clone (this=0x6b92760) at /mnt/hgfs/src/psdev/bro/src/Val.cc:83 > #116945 0x00000000007a4d91 in Frame::Clone (this=0x8b612d0) at /mnt/hgfs/src/psdev/bro/src/Frame.cc:78 > #116946 0x0000000000841676 in Trigger::Trigger (this=0x2b79dc0, arg_cond=0x4ae81c0, arg_body=0x4af3600, arg_timeout_stmts=0x0, arg_timeout=0x0, arg_frame=0x8b612d0, arg_is_return=false, arg_location=0x4b4d280) at /mnt/hgfs/src/psdev/bro/src/Trigger.cc:108 > #116947 0x000000000083db0e in WhenStmt::Exec (this=0x4b3eba0, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:2166 > #116948 0x000000000083c17b in StmtList::Exec (this=0x4af4260, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116949 0x000000000083c17b in StmtList::Exec (this=0x4b56540, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116950 0x00000000007a649b in BroFunc::Call (this=0x3099030, args=0x82c33e0, parent=0x0) at /mnt/hgfs/src/psdev/bro/src/Func.cc:386 > #116951 0x000000000077f12e in EventHandler::Call (this=0x3084600, vl=0x82c33e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/EventHandler.cc:80 > #116952 0x0000000000732965 in Event::Dispatch (this=0xb5004e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/Event.h:50 > #116953 0x000000000077e85d in EventMgr::Dispatch (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:111 > #116954 0x000000000077e968 in EventMgr::Drain (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:128 > #116955 0x00000000007ddd66 in net_packet_dispatch (t=1442838074.400739, hdr=0x4d73140, pkt=0x7fb7db8622fc
, hdr_size=14, src_ps=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/Net.cc:278 > #116956 0x0000000000af1ed6 in iosource::PktSrc::Process (this=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/iosource/PktSrc.cc:411 > #116957 0x00000000007ddf6f in net_run () at /mnt/hgfs/src/psdev/bro/src/Net.cc:320 > #116958 0x00000000007319aa in main (argc=18, argv=0x7ffde1aa3af8) at /mnt/hgfs/src/psdev/bro/src/main.cc:1200 > ==== No reporter.log > ==== stderr.log > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: GNU General Public License for more details. > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: You should have received a copy of the GNU General Public License > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: along with tcplog. If not, see . > listening on eth1, capture length 65535 bytes > processing suspended > processing continued > tcmalloc: large alloc 1562509312 bytes == 0x498f0000 @ 0x7fb85004b4ac 0x7fb85006b22c 0x73b0e5 0x815270 0x81627e 0x7437f8 0x742ddd 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x848b3b 0x84a01a 0x81788a 0x845670 0x846db0 0x84759e 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b > /usr/local/bro/share/broctl/scripts/run-bro: line 85: 91861 Segmentation fault (core dumped) nohup ${pin_command} $pin_cpu $mybro "$@" > ---- > (gdb) frame 0 > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") > at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > 57 DECLARE_IO(uint16) > (gdb) print *this > $8 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, format = 0x89def00, > current_cache = 0x0, error_descr = 0x0} > (gdb) print *this > $10 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, > format = 0x89def00, current_cache = 0x0, error_descr = 0x0} > (gdb) print *this->format > $11 = {_vptr.SerializationFormat = 0xb74dd0, static INITIAL_SIZE = 65536, static GROWTH_FACTOR = 2.5, > output = 0x498f0000 "\001", output_size = 1562499968, output_pos = 852829181, input = 0x0, input_len = 0, input_pos = 0, > bytes_written = 852829181, bytes_read = 0} > The stack trace and the problem seems to be similar to: > http://mailman.icsi.berkeley.edu/pipermail/bro/2015-March/008241.html -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-001#70107) From noreply at bro.org Wed Oct 14 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 14 Oct 2015 00:00:24 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510140700.t9E70OVS025740@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- --------------------------------------------------- #6 [5] bro-plugins jswaro [6] 2015-10-06 Adding initial conversion of TCPRS to a plugin [7] #1 [8] broctl J-Gras [9] 2015-10-08 Added support for packet fanout load balancing [10] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [8] Pull Request #1 https://github.com/bro/broctl/pull/1 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Wed Oct 14 02:40:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Wed, 14 Oct 2015 04:40:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1492) Analyzers fail to attach when SYN missing In-Reply-To: References: Message-ID: Michal Purzynski created BIT-1492: ------------------------------------- Summary: Analyzers fail to attach when SYN missing Key: BIT-1492 URL: https://bro-tracker.atlassian.net/browse/BIT-1492 Project: Bro Issue Tracker Issue Type: Problem Components: BinPAC, Bro Affects Versions: git/master, 2.4 Reporter: Michal Purzynski Priority: High Attachments: https_no_syn.pcap, https.pcap When the initial SYN packet is missing from the TCP connections, the conn.log gets creates but no analyzers are attached. 1444814178.800000 C0xKJC4FTWyHP481Y3 198.18.7.165 54872 63.245.215.20 443 tcp - 1.608599 811 4856 SF - - 0 hADadFRf 8 1131 9 5228 (empty) I've crafted the pcap to include a full session of wget https://mozilla.org and removed the initial SYN. SSL analyzer failed to attach. I can confirm the same behavior with other analyzers, too (tested HTTP). I kind of wonder, would we lose a lot if we relaxed the rules for the 3WH a little bit? Like, allow the analyzer to continue, because it kind of looks like TCP. Kind of ;) tshark is happy to tell me there is SSL inside, so looks like there is a hope. 1 0.000000 63.245.215.20 -> 198.18.7.165 TCP 66 443?54872 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=1024 2 0.000330 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [ACK] Seq=1 Ack=1 Win=53248 Len=0 3 0.001698 198.18.7.165 -> 63.245.215.20 SSL 575 Client Hello 4 0.194256 63.245.215.20 -> 198.18.7.165 TCP 54 443?54872 [ACK] Seq=1 Ack=522 Win=16384 Len=0 5 0.197021 63.245.215.20 -> 198.18.7.165 TLSv1.2 1514 Server Hello 6 0.197361 63.245.215.20 -> 198.18.7.165 TCP 1514 [TCP segment of a reassembled PDU] 7 0.197538 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [ACK] Seq=522 Ack=2921 Win=53248 Len=0 8 0.197857 63.245.215.20 -> 198.18.7.165 TLSv1.2 1328 Certificate 9 0.205449 198.18.7.165 -> 63.245.215.20 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request 10 0.400301 63.245.215.20 -> 198.18.7.165 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message 11 0.405533 198.18.7.165 -> 63.245.215.20 TLSv1.2 218 Application Data 12 0.598400 63.245.215.20 -> 198.18.7.165 TLSv1.2 634 Application Data 13 0.655022 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [ACK] Seq=812 Ack=4826 Win=53248 Len=0 14 1.413664 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [FIN, ACK] Seq=812 Ack=4826 Win=53248 Len=0 15 1.607910 63.245.215.20 -> 198.18.7.165 TLSv1.2 85 Encrypted Alert 16 1.608140 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [RST, ACK] Seq=813 Ack=4857 Win=0 Len=0 17 1.608599 63.245.215.20 -> 198.18.7.165 TCP 54 443?54872 [FIN, ACK] Seq=4857 Ack=813 Win=17408 Len=0 -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-001#70107) From noreply at bro.org Thu Oct 15 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 15 Oct 2015 00:00:25 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510150700.t9F70PIJ000424@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- --------------------------------------------------- #6 [5] bro-plugins jswaro [6] 2015-10-06 Adding initial conversion of TCPRS to a plugin [7] #1 [8] broctl J-Gras [9] 2015-10-08 Added support for packet fanout load balancing [10] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [8] Pull Request #1 https://github.com/bro/broctl/pull/1 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Fri Oct 16 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 16 Oct 2015 00:00:25 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510160700.t9G70PZb025777@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- --------------------------------------------------- #6 [5] bro-plugins jswaro [6] 2015-10-06 Adding initial conversion of TCPRS to a plugin [7] #1 [8] broctl J-Gras [9] 2015-10-08 Added support for packet fanout load balancing [10] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [8] Pull Request #1 https://github.com/bro/broctl/pull/1 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Fri Oct 16 06:20:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 16 Oct 2015 08:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1493) HTTP log not getting filenames set In-Reply-To: References: Message-ID: Seth Hall created BIT-1493: ------------------------------ Summary: HTTP log not getting filenames set Key: BIT-1493 URL: https://bro-tracker.atlassian.net/browse/BIT-1493 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Seth Hall Attachments: http-filename.trace When filenames are discovered in HTTP headers, the filename is successfully added to the files.log but not the http.log. It appears that some of the entity tracking in scripts/base/protocols/http/entities.bro might be no happening correctly. I've attach a trace that shows the problem and can be included in the test suite when the problem is fixed. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-001#70107) From jira at bro-tracker.atlassian.net Fri Oct 16 06:20:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 16 Oct 2015 08:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1493) HTTP log not getting filenames set In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1493?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1493: --------------------------- Attachment: (was: http-filename.trace) > HTTP log not getting filenames set > ---------------------------------- > > Key: BIT-1493 > URL: https://bro-tracker.atlassian.net/browse/BIT-1493 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Attachments: http-filename.trace > > > When filenames are discovered in HTTP headers, the filename is successfully added to the files.log but not the http.log. It appears that some of the entity tracking in scripts/base/protocols/http/entities.bro might be no happening correctly. I've attach a trace that shows the problem and can be included in the test suite when the problem is fixed. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-001#70107) From noreply at bro.org Sat Oct 17 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 17 Oct 2015 00:00:24 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510170700.t9H70OR7028070@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- --------------------------------------------------- #6 [5] bro-plugins jswaro [6] 2015-10-16 Adding initial conversion of TCPRS to a plugin [7] #1 [8] broctl J-Gras [9] 2015-10-08 Added support for packet fanout load balancing [10] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [8] Pull Request #1 https://github.com/bro/broctl/pull/1 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Sun Oct 18 00:00:33 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 18 Oct 2015 00:00:33 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510180700.t9I70Xmx027601@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [5] bro albertzaharovits [6] 2015-10-17 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #8 [8] bro-plugins michalpurzynski [9] 2015-10-17 Myricom SNF v3 packet source plugin [10] #6 [11] bro-plugins jswaro [12] 2015-10-16 Adding initial conversion of TCPRS to a plugin [13] #1 [14] broctl J-Gras [15] 2015-10-08 Added support for packet fanout load balancing [16] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #8 https://github.com/bro/bro-plugins/pull/8 [9] michalpurzynski https://github.com/michalpurzynski [10] Merge Pull Request #8 with git pull --no-ff --no-commit https://github.com/michalpurzynski/bro-plugins.git master [11] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [12] jswaro https://github.com/jswaro [13] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [14] Pull Request #1 https://github.com/bro/broctl/pull/1 [15] J-Gras https://github.com/J-Gras [16] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Mon Oct 19 00:00:33 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 19 Oct 2015 00:00:33 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510190700.t9J70Xq6013690@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [5] bro albertzaharovits [6] 2015-10-17 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #8 [8] bro-plugins michalpurzynski [9] 2015-10-17 Myricom SNF v3 packet source plugin [10] #6 [11] bro-plugins jswaro [12] 2015-10-16 Adding initial conversion of TCPRS to a plugin [13] #1 [14] broctl J-Gras [15] 2015-10-08 Added support for packet fanout load balancing [16] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #8 https://github.com/bro/bro-plugins/pull/8 [9] michalpurzynski https://github.com/michalpurzynski [10] Merge Pull Request #8 with git pull --no-ff --no-commit https://github.com/michalpurzynski/bro-plugins.git master [11] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [12] jswaro https://github.com/jswaro [13] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [14] Pull Request #1 https://github.com/bro/broctl/pull/1 [15] J-Gras https://github.com/J-Gras [16] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Mon Oct 19 13:07:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1308) Add /opt/bro/bin to $PATH in RPM In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22600#comment-22600 ] Johanna Amann commented on BIT-1308: ------------------------------------ Sorry for the long reply times. Not having Bro automatically added to the path actually was a conscious decision due to several reasons. First -- if users install the packages for bro-nightly and bro simultaneously, it is unclear which one would end up in the path (they are designed in a way that the packages can be installed simultaneously). Furthermore, it often only is desired to have the bro binaries accessible by the user that actually runs Bro --- some of the binaries contained in the distribution (like broctl) are also only runnable as root. If you think there is a reason to add it, please let me know - I am going to close this for now :) > Add /opt/bro/bin to $PATH in RPM > -------------------------------- > > Key: BIT-1308 > URL: https://bro-tracker.atlassian.net/browse/BIT-1308 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.3 > Environment: CentOS 6 > Reporter: Richie B. > > In the Bro documentation, the first step after installing the Bro RPM is to add /opt/bro/bin to your $PATH. This can easily be done automatically by adding a file /etc/profile.d/bro.sh in the Bro RPM that contains: > pathmunge /opt/bro/bin -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:08:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1308) Add /opt/bro/bin to $PATH in RPM In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1308: ------------------------------- Resolution: Won't Fix Status: Closed (was: Open) > Add /opt/bro/bin to $PATH in RPM > -------------------------------- > > Key: BIT-1308 > URL: https://bro-tracker.atlassian.net/browse/BIT-1308 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.3 > Environment: CentOS 6 > Reporter: Richie B. > > In the Bro documentation, the first step after installing the Bro RPM is to add /opt/bro/bin to your $PATH. This can easily be done automatically by adding a file /etc/profile.d/bro.sh in the Bro RPM that contains: > pathmunge /opt/bro/bin -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:09:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1491) trying to change configuration of archieved log file to not save in a .gz format. I dont want to the logs zipped for testing in a small environment. Where can I change this configuration. Thanks. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1491?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1491: ------------------------------- Resolution: Invalid Status: Closed (was: Open) Please use our mailing list (bro at bro.org) -- http://mailman.icsi.berkeley.edu/mailman/listinfo/bro for questions like this; this is not a bug. > trying to change configuration of archieved log file to not save in a .gz format. I dont want to the logs zipped for testing in a small environment. Where can I change this configuration. Thanks. > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1491 > URL: https://bro-tracker.atlassian.net/browse/BIT-1491 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: 2.4 > Environment: bro installed on ubuntu 12.04 > Reporter: ronald Hill > Labels: logging > -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:10:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-194) RFB (vnc) analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-194: ------------------------------ Resolution: Feedback Missing Status: Closed (was: Open) Closing due to no feedback - if you are interested in developing this further, please let us know. > RFB (vnc) analyzer > ------------------ > > Key: BIT-194 > URL: https://bro-tracker.atlassian.net/browse/BIT-194 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: justin > Priority: Low > Labels: RFB, VNC > Attachments: rfb.patch > > > I worked out an initial RFB analyzer. > it adds the following events: > {noformat} > event rfb_server_version(c: connection, version: string) > { > print "Server", c$id$resp_h, version; > } > event rfb_client_version(c: connection, version: string) > { > print "Client", c$id$orig_h, version; > } > {noformat} > it probably needs some work, and there is more information that can be parsed in the RFB_Client_Body and RFB_Server_Body. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:11:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:11:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-592) topic/gilbert/profiles In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-592?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-592: ------------------------------ Resolution: Feedback Missing Status: Closed (was: Open) Since there has been no progress of this since 2011 I assume this will nod be done. Please open again as a merge request otherwise. > topic/gilbert/profiles > ---------------------- > > Key: BIT-592 > URL: https://bro-tracker.atlassian.net/browse/BIT-592 > Project: Bro Issue Tracker > Issue Type: Task > Components: BTest > Reporter: gclark > Assignee: gclark > Priority: Low > > topic/gilbert/profiles in the 'btest' project should be ready to merge. Doesn't seem to be a 'btest' component option, so chose bro-aux instead. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:14:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-991) Imap Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22604#comment-22604 ] Johanna Amann commented on BIT-991: ----------------------------------- While having an imap analyzer would be interesting, I don't think we want to add one that is hand-written (i.e. parses the protocol in C-code) because it is easy to have a lot of subtle bugs in them. Would you potentially be interested in re-writing this to use binpac for the protocol parsing instead? https://github.com/bro/bro/tree/topic/johanna/imap-starttls actually already has an imap analyzer template in binpac, to add StartTLS support. Adding more protocol features to this should not be too hard. > Imap Analyzer > ------------- > > Key: BIT-991 > URL: https://bro-tracker.atlassian.net/browse/BIT-991 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Assignee: Seth Hall > Priority: Low > Labels: Imap, analyzer > Fix For: 2.5 > > Attachments: 0001-IMAP-analyzer.patch > > > Here is an Imap Analyzer and a quick script sample. It is inspired of the POP3 Analyzer. > No problem to make some coding changes if you ask. > Nicolas -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:15:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-966) logging and input framework config maps do not support values containing \0 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-966?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-966: ------------------------------ Resolution: Won't Fix Status: Closed (was: Open) Closing because we don't actually have a use-case that needs 0 characters in text; seems more like an edge-case that is very unlikely to happen. > logging and input framework config maps do not support values containing \0 > --------------------------------------------------------------------------- > > Key: BIT-966 > URL: https://bro-tracker.atlassian.net/browse/BIT-966 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Priority: Low > Labels: threading > Fix For: 2.5 > > > The config maps in the input and logging frameworks are defined as map, thus allowing no \0 in values, where they could arguably be useful. This is due to the fact that we do not have a thread-safe string class available at the moment. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:17:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-948) add bif for URI -> binary decoding In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-948: ------------------------------ Resolution: Feedback Missing Status: Closed (was: Open) Closing because no feedback till 2013. If this is different from unescape_URI and still needed, please reopen. > add bif for URI -> binary decoding > ---------------------------------- > > Key: BIT-948 > URL: https://bro-tracker.atlassian.net/browse/BIT-948 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: scampbell > Priority: Low > Fix For: 2.5 > > > The current URI_decode() bif returns non-ascii data in a x\nn format which is safe, but not useful in all situations (such as when you need the literal binary data). > thanks\! > scott -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:18:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-529) Support for DLT IEEE802_11_RADIO linktype In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-529?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-529: ------------------------------ Fix Version/s: 2.5 > Support for DLT IEEE802_11_RADIO linktype > ----------------------------------------- > > Key: BIT-529 > URL: https://bro-tracker.atlassian.net/browse/BIT-529 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: gregor > Assignee: Seth Hall > Priority: Low > Fix For: 2.5 > > > {noformat} > #!rst > Add support for DLT IEEE802_11_RADIO to Bro. It appears this linktype adds a bunch of info from the WLAN radio in front of the actual ethernet header. Unfortunately, it appears to have variable length headers, to adding support to Bro is not trivial. > Many (all?) wlan interface can create pcap captures with this DLT. E.g, one can use > * ``tcpdump -I ....`` or > * ``tcpdump -y IEEE802_11_RADIO`` (depending on OS and tcpdump version used) > On my Mac OS ``tcpdump -I`` works. > {noformat} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:18:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-529) Support for DLT IEEE802_11_RADIO linktype In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-529?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-529: --------------------------------- Assignee: Seth Hall > Support for DLT IEEE802_11_RADIO linktype > ----------------------------------------- > > Key: BIT-529 > URL: https://bro-tracker.atlassian.net/browse/BIT-529 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: gregor > Assignee: Seth Hall > Priority: Low > Fix For: 2.5 > > > {noformat} > #!rst > Add support for DLT IEEE802_11_RADIO to Bro. It appears this linktype adds a bunch of info from the WLAN radio in front of the actual ethernet header. Unfortunately, it appears to have variable length headers, to adding support to Bro is not trivial. > Many (all?) wlan interface can create pcap captures with this DLT. E.g, one can use > * ``tcpdump -I ....`` or > * ``tcpdump -y IEEE802_11_RADIO`` (depending on OS and tcpdump version used) > On my Mac OS ``tcpdump -I`` works. > {noformat} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:21:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:21:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1200) CloneSerializer cannot handle recursive records In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1200?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1200: ------------------------------- Resolution: Duplicate Status: Closed (was: Open) Closing as a duplicate of BIT-249 > CloneSerializer cannot handle recursive records > ----------------------------------------------- > > Key: BIT-1200 > URL: https://bro-tracker.atlassian.net/browse/BIT-1200 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Vlad Grigorescu > > Running something like this will result in an infinite loop in the serializer: > {code} > type conn_with_ts: record { > c: connection; > ts: time; > }; > redef record connection += { > conn_with_ts: conn_with_ts &optional; > }; > event connection_established(c: connection) { > local oops = copy(c); > } > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:21:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:21:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-278) Fix port handling in Broccoli In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-278: ------------------------------ Resolution: Won't Fix Status: Closed (was: Open) Closing since we are deprecating Broccoli. > Fix port handling in Broccoli > ----------------------------- > > Key: BIT-278 > URL: https://bro-tracker.atlassian.net/browse/BIT-278 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Broccoli > Affects Versions: 1.5.1 > Reporter: Seth Hall > Assignee: kreibich > > BRO_TYPE_PORT values in Broccoli currently only allow tcp,udp, and icmp. If you attempt to set a protocol value to anything that doesn't map to one of those protocols (e.g. 255), it will cause Broccoli to segfault when you do the following: > {noformat} > BroPort dst_p; > dst_p.port_num = 0; > dst_p.port_proto = 255; > bro_record_add_val(packet_id, "dst_p", BRO_TYPE_PORT, NULL, &dst_p); > {noformat} > The offending code in bro_val.c seems to be: > {noformat} > if (tmp->port_proto != IPPROTO_TCP && > tmp->port_proto != IPPROTO_UDP && > tmp->port_proto != IPPROTO_ICMP) > { > __bro_sobject_release((BroSObject *) data); > D_RETURN_(FALSE); > } > {noformat} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:23:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-635) Test to crash proxies In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-635?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-635: ------------------------------ Resolution: Won't Fix Status: Closed (was: Open) Closing - we are moving away from the current communication scheme - and this has not been touched for 4 years. > Test to crash proxies > --------------------- > > Key: BIT-635 > URL: https://bro-tracker.atlassian.net/browse/BIT-635 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Seth Hall > > I have a btest test that can reliably crash proxies (on my laptop at least). I'm not assigning this to the next release though because it just seems to be a case of filling the pipe between the parent and child and not the weird "poll 101" crash that is occasionally seen in some cases, I'm still trying to create a test to cause that crash. > Here's the error you get from btest from each proxy since each proxy in the test crashes with the same message:: > {noformat} > error: parent: 1317739862.781639 fatal error, shutting down communication: Resource temporarily unavailable [35] > error: parent: 1317739862.781754 fatal error, shutting down communication: Resource temporarily unavailable [35] > error: parent: 1317739862.781775 fatal error, shutting down communication: Resource temporarily unavailable [35] > Assertion failed: (peer->log_buffer), function SendLogWrite, file ./src/RemoteSerializer.cc, line 2556. > {noformat} > Here's the test:: > {noformat} > # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT > # @TEST-EXEC: btest-bg-run proxy-1 BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT > # @TEST-EXEC: btest-bg-run proxy-2 BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT > # @TEST-EXEC: btest-bg-run worker-1 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT > # @TEST-EXEC: btest-bg-run worker-2 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT > # @TEST-EXEC: btest-bg-run worker-3 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-3 bro %INPUT > # @TEST-EXEC: btest-bg-run worker-4 BROPATH=$BROPATH:.. CLUSTER_NODE=worker-4 bro %INPUT > # @TEST-EXEC: btest-bg-wait -k 10 > # @TEST-EXEC: btest-diff proxy-1/.stdout > @TEST-START-FILE cluster-layout.bro > redef Cluster::nodes = { > ["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")], > ["proxy-1"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-3")], > ["proxy-2"] = [$node_type=Cluster::PROXY, $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1", $workers=set("worker-2", "worker-4")], > ["worker-1"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"], > ["worker-2"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-2", $interface="eth1"], > ["worker-3"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37762/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"], > ["worker-4"] = [$node_type=Cluster::WORKER, $ip=127.0.0.1, $p=37763/tcp, $manager="manager-1", $proxy="proxy-2", $interface="eth1"], > }; > @TEST-END-FILE > global all_data: set[string] = set() &synchronized; > global blah = 0; > @if ( Cluster::local_node_type() == Cluster::WORKER ) > event slam_proxy() > { > add all_data[unique_id(peer_description)]; > ++blah; > if ( blah < 10000 ) > event slam_proxy(); > } > event bro_init() > { > event slam_proxy(); > } > @endif > {noformat} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:25:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:25:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-802) A Broccoli server to send IDMEF alerts via prelude In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-802?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-802: ------------------------------ Resolution: Invalid Status: Closed (was: Open) Closing - not a bug. > A Broccoli server to send IDMEF alerts via prelude > -------------------------------------------------- > > Key: BIT-802 > URL: https://bro-tracker.atlassian.net/browse/BIT-802 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Broccoli > Affects Versions: git/master > Reporter: juliensentier > Attachments: bro2prelude.tar.gz > > > Here is an application which uses to Broccoli. > It runs as a server waiting for multiple Bros to connect. > It requests a certain event, and using its parameters, makes an IDMEF alert out of it and sends it via libprelude. > In the archive, there is a Bro script given as an example, with a dummy alert generation. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:26:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-419) Add a "real" list type to the scripting language. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-419: ------------------------------ Resolution: Invalid Status: Closed (was: Open) Does not need a ticket - we definitely will not forget about this. > Add a "real" list type to the scripting language. > ------------------------------------------------- > > Key: BIT-419 > URL: https://bro-tracker.atlassian.net/browse/BIT-419 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robin Sommer > Labels: language > > See subject. Include convenience support for using it as a stack and fifo. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:30:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1225) ReadFile API: topic/seth/readfile In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1225?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1225: ------------------------------- Resolution: Incomplete Status: Closed (was: Open) Closing - since there is nothing to do here until Seth rewrites it. Please re-open when this is done :) > ReadFile API: topic/seth/readfile > --------------------------------- > > Key: BIT-1225 > URL: https://bro-tracker.atlassian.net/browse/BIT-1225 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Fix For: 2.5 > > > The ReadFile module provides a simplified API for reading files off of disk. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:31:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:31:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1154) Formatters restructed in: topic/seth/json-formatter In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22613#comment-22613 ] Johanna Amann commented on BIT-1154: ------------------------------------ Seth, will you still do these? :) > Formatters restructed in: topic/seth/json-formatter > --------------------------------------------------- > > Key: BIT-1154 > URL: https://bro-tracker.atlassian.net/browse/BIT-1154 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: Seth Hall > Assignee: Seth Hall > Fix For: 2.5 > > > topic/seth/json-formatter has an abstraction for Formatters and I created a formatters directory under threading. There is also a new JSON formatter and support in the Ascii and ElasticSearch writers for the JSON formatter. > I went ahead and threw in per-filter configuration options for the Ascii writer for all of the options that were exposed globally too. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:35:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:35:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-634) CouchDB writer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-634?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-634: ------------------------------ Resolution: Incomplete Status: Closed (was: Open) Closing because the patch is out of date and there is nothing to do at the moment. Please re-open if there is a new patch or interest on working on it. > CouchDB writer > -------------- > > Key: BIT-634 > URL: https://bro-tracker.atlassian.net/browse/BIT-634 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: jeff.baumes > Fix For: 2.5 > > Attachments: 0001-Adding-couchdb-writer.patch > > > Attached is a git patch for logging information to CouchDB. It has a new dependence on libcurl which it searches for with a find_package CMake command, and JsonCpp (MIT license), whose code is included directly in the source tree. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:36:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:36:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-735) Clean up and merge the TCPStats analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-735: ------------------------------ Resolution: Incomplete Status: Closed (was: Open) Closing - there has been no progress on this since 2012. > Clean up and merge the TCPStats analyzer > ---------------------------------------- > > Key: BIT-735 > URL: https://bro-tracker.atlassian.net/browse/BIT-735 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Seth Hall > Fix For: 2.5 > > > Katrina wants to get her TCPStats analyzer merged. Let's aim for getting it cleaned up and ready for the 2.1 release. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:39:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:39:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-831) Interpreter exceptions cause memory leaks (was "Memory leak in print") In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-831?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-831: ------------------------------ Resolution: Won't Fix Status: Closed (was: Open) Closing - we will not be able to fix this anytime in the forseeable future because of the current internal architecture. Fixing this would be part of a major rewrite of the scripting functionality of Bro--and we will not forget about it; this is one of the well-known current gotchas of Bro. > Interpreter exceptions cause memory leaks (was "Memory leak in print") > ---------------------------------------------------------------------- > > Key: BIT-831 > URL: https://bro-tracker.atlassian.net/browse/BIT-831 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.5 > > Attachments: bug.bro, leak.pdf > > > The following bro script apparently triggers a memory-leak in the print statement. > {noformat} > event HTTP::log_http(rec: HTTP::Info) > { > print fmt("%s %s", rec$md5, rec); > } > {noformat} > To reproduce run bro using 2009-M57-day11-18.trace. pprof output is attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:44:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-903) -b turns off -f In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-903?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-903: ------------------------------ Resolution: Duplicate Status: Closed (was: Open) Duplicate of BIT-1407 > -b turns off -f > --------------- > > Key: BIT-903 > URL: https://bro-tracker.atlassian.net/browse/BIT-903 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Vern Paxson > Fix For: 2.5 > > Attachments: signature.asc, single-tcp-conn-est.trace > > > Running with \-b (bare bones) disables processing by \-f. Boy did this take me a long time to figure out :-(. > Reproduce using the appended trace. Invoking with *-e 'event connection_established(c:connection) \{ print "yep"; }*' will print "yep". Invoking with that plus *-f 'not tcp*' won't print anything. But invoking with *-f 'not tcp' \-b* _does_ print "yep". -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:50:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:50:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1421) Lack of Sanity Check in file 'bro_type.c' in directory aux/broccoli/src In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1421?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1421: ------------------------------- Resolution: Won't Fix Status: Closed (was: Open) Closing - same reasons as in BIT-1422 > Lack of Sanity Check in file 'bro_type.c' in directory aux/broccoli/src > ----------------------------------------------------------------------- > > Key: BIT-1421 > URL: https://bro-tracker.atlassian.net/browse/BIT-1421 > Project: Bro Issue Tracker > Issue Type: Patch > Components: bro-aux > Affects Versions: 2.3 > Environment: Operating System (Linux/Unix/Windows/All) > Reporter: Bill Parker > Labels: Check, Sanity > Fix For: 2.5 > > Attachments: bro_type.c.patch > > > Hello, > In reviewing code in file 'bro_type.c' in directory 'aux/broccoli/src', I found a(n) instance where calloc() is called without a corresponding test for NULL, indicating failure. The patch file below addresses/corrects this issue: > --- bro_type.c.orig 2015-06-06 09:36:11.857384277 -0700 > +++ bro_type.c 2015-06-06 09:37:58.675960368 -0700 > @@ -1479,6 +1479,9 @@ > while (len--) { > BroString name; > uint64 *val = (uint64*) calloc(1, sizeof(uint64)); > + if (val == NULL) { /* Unable to allocate memory... */ > + D_RETURN_(FALSE); > + } > > if (! __bro_buf_read_string(bc->rx_buf, &name) || > ! __bro_buf_read_int64(bc->rx_buf, val)) > I am attaching the patch file to this bug report. > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:50:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:50:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1422) Lack of Sanity Check in file 'broccoli_intern.i' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1422: ------------------------------- Resolution: Won't Fix Status: Closed (was: Open) I am closing this as won't fix. Broccoli is going away, so we probably do not want to invest any work there. Furthermore, adding error messages on memory exhaustion does not really help - if malloc fails, Bro will crash within a very short time. Just accepting that and crashing on the first 0-pointer malloc returns seems to be preferable to having checks with a error message at every malloc. > Lack of Sanity Check in file 'broccoli_intern.i' > ------------------------------------------------ > > Key: BIT-1422 > URL: https://bro-tracker.atlassian.net/browse/BIT-1422 > Project: Bro Issue Tracker > Issue Type: Patch > Components: broccoli-python > Affects Versions: 2.3 > Environment: Operating System (Linux/Unix/Windows/All) > Reporter: Bill Parker > Labels: Checking, Sanity > Fix For: 2.5 > > Attachments: broccoli_intern.i.patch > > > Hello All, > In file 'broccoli_intern.i', in directory 'aux/broccoli/bindings/broccoli-python', I found a number of instances where calls to malloc() are made without a corresponding check for a return value of NULL, indicating failure. The patch file below corrects/addresses this issue: > --- broccoli_intern.i.orig 2015-06-06 09:02:11.949122426 -0700 > +++ broccoli_intern.i 2015-06-06 09:23:00.187767139 -0700 > @@ -229,6 +229,11 @@ > case BRO_TYPE_BOOL: > case BRO_TYPE_INT: { > int64_t* tmp = (int64_t *)malloc(sizeof(int64_t)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro BOOL/INT"); > + return 0; /* should we return ENOMEM here instead? */ > + } > + > *tmp = PyInt_AsLong(val); > *data = tmp; > break; > @@ -237,6 +242,10 @@ > case BRO_TYPE_COUNT: > case BRO_TYPE_COUNTER: { > uint64_t* tmp = (uint64_t *)malloc(sizeof(uint64_t)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro COUNT/COUNTER"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyInt_AsLong(val); > *data = tmp; > break; > @@ -247,6 +256,10 @@ > return 0; > > BroAddr* addr = (BroAddr*)malloc(sizeof(BroAddr)); > + if (addr == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_IPADDR"); > + return 0; /* should we return ENOMEM here instead? */ > + } > parseAddrTuple(val, addr); > *data = addr; > break; > @@ -256,6 +269,10 @@ > case BRO_TYPE_TIME: > case BRO_TYPE_INTERVAL: { > double* tmp = (double *)malloc(sizeof(double)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE DOUBLE/TIME/INTERVAL"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyFloat_AsDouble(val); > *data = tmp; > break; > @@ -269,6 +286,10 @@ > return 0; > > str = (BroString *)malloc(sizeof(BroString)); > + if (str == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_STRING"); > + return 0; /* should we return ENOMEM here instead? */ > + } > str->str_len = strlen(tmp); > str->str_val = (uchar*)strdup(tmp); > *data = str; > @@ -282,6 +303,10 @@ > } > > int* tmp = (int *)malloc(sizeof(int)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_ENUM"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyInt_AsLong(PyTuple_GetItem(val, 0)); > *data = tmp; > > @@ -300,6 +325,10 @@ > } > > BroPort* port = (BroPort *)malloc(sizeof(BroPort)); > + if (port == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_PORT"); > + return 0; /* should we return ENOMEM here instead? */ > + } > port->port_num = PyInt_AsLong(PyTuple_GetItem(val, 0)); > port->port_proto = PyInt_AsLong(PyTuple_GetItem(val, 1)); > *data = port; > @@ -316,6 +345,10 @@ > return 0; > > BroSubnet* subnet = (BroSubnet *)malloc(sizeof(BroSubnet)); > + if (subnet == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_SUBNET"); > + return 0; > + } > > parseAddrTuple(addr, &subnet->sn_net); > > I am attaching the patch file to this bug report... > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:51:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:51:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1420) Replace bzero() with memset() in broccoli/test/broping.c In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1420?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1420: ------------------------------- Resolution: Won't Fix Status: Closed (was: Open) Closing - broccoli will go away. > Replace bzero() with memset() in broccoli/test/broping.c > -------------------------------------------------------- > > Key: BIT-1420 > URL: https://bro-tracker.atlassian.net/browse/BIT-1420 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Broccoli > Affects Versions: 2.3 > Environment: Operating System (Linux/Unix/Windows/All) > Reporter: Bill Parker > Labels: obsolete/deprecated > Fix For: 2.5 > > Attachments: broping.c.patch > > > Hello, > In reviewing code for file 'broping.c' in directory 'broccoli/test', I found an instance of > a call to bzero() which is deprecated per POSIX/C99 standards, which should be replaced > with memset(). The patch file which changes this is below: > --- broping.c.orig 2015-06-06 09:43:16.694378874 -0700 > +++ broping.c 2015-06-06 09:44:06.625724891 -0700 > @@ -224,7 +224,7 @@ > exit(-1); > } > > - bzero(&server, sizeof(server)); > + memset(&server, 0, sizeof(server)); > server.sin_family = AF_INET; > server.sin_port = htons(port); > server.sin_addr.s_addr = 0; > I am attaching the patch file to this bug report. > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:53:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1416) Lack of Sanity Checking in file nfcollector.c in Bro-2.3.2 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1416: ------------------------------- Resolution: Won't Fix Status: Closed (was: Open) Closing - see reasons in BIT-1422. > Lack of Sanity Checking in file nfcollector.c in Bro-2.3.2 > ---------------------------------------------------------- > > Key: BIT-1416 > URL: https://bro-tracker.atlassian.net/browse/BIT-1416 > Project: Bro Issue Tracker > Issue Type: Patch > Components: bro-aux > Affects Versions: 2.3 > Environment: Unix/Linux/Windows/All (OS) > Reporter: Bill Parker > Labels: cleanup > Fix For: 2.5 > > Attachments: nfcollector.c.patch > > > Hello All, > In reviewing code in Bro-2.3.2, file 'nfcollector.c', in directory 'aux/bro-aux/nftools', I found a call to malloc() without a check for a return value of NULL, indicating failure. The patch file below should correct/address this issue: > --- nfcollector.c.orig 2015-06-05 13:13:50.404241937 -0700 > +++ nfcollector.c 2015-06-05 13:16:10.305022607 -0700 > @@ -41,6 +41,10 @@ > switch (opt) { > case 'o': > outfile = malloc (strlen(optarg) + 1); > + if (outfile == NULL) { > + fprintf(stderr, " Unable to allocate memory for output file I/O, exiting...\n"); > + pleave(1, "Out of Memory"); > + } > strcpy (outfile, optarg); > break; > case 'p': > I am attaching the patch file to this bug report > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:53:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1415) Lack of Sanity Checking in file patricia.c in Bro-2.3.2 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1415: ------------------------------- Resolution: Won't Fix Status: Closed (was: Open) Closing - see reasons in BIT-1422. > Lack of Sanity Checking in file patricia.c in Bro-2.3.2 > ------------------------------------------------------- > > Key: BIT-1415 > URL: https://bro-tracker.atlassian.net/browse/BIT-1415 > Project: Bro Issue Tracker > Issue Type: Patch > Components: bro-aux > Affects Versions: 2.3 > Environment: Unix/Linux/Windows (lack of sanity checking) > Reporter: Bill Parker > Labels: broctl > Fix For: 2.5 > > Attachments: patricia.c.patch > > > Hello All, > In reviewing source code in Bro-2.3.2, I found several instances of missing sanity checks > for calls to calloc() in file 'patricia.c' in directory 'aux/broctl/aux/pysubnettree', where calls > to calloc() are not checked for a return value of NULL, indicating failure. The patch file below corrects/addresses these issues: > --- patricia.c.orig 2015-06-05 13:25:12.749964570 -0700 > +++ patricia.c 2015-06-05 13:36:05.432917217 -0700 > @@ -265,7 +265,10 @@ > //prefix4_t size incorrect on NT > prefix = calloc(1, sizeof (prefix_t)); > #endif /* NT */ > - > + if (prefix == NULL) { /* we tried to allocate memory again, and failed... */ > + fprintf(stderr, "Unable to allocate memory for prefix...\n"); > + return (prefix); /* can we return NULL here? */ > + } > dynamic_allocated++; > } > memcpy (&prefix->add.sin, dest, 4); > @@ -396,6 +399,10 @@ > New_Patricia (int maxbits) > { > patricia_tree_t *patricia = calloc(1, sizeof *patricia); > + if (patricia == NULL) { /* oops, calloc() failed, now what? */ > + fprintf(stderr, "Unable to allocate memory in New_Patricia...\n"); > + return (patricia); /* can we return NULL here? */ > + } > > patricia->maxbits = maxbits; > patricia->head = NULL; > @@ -665,6 +672,10 @@ > > if (patricia->head == NULL) { > node = calloc(1, sizeof *node); > + if (node == NULL) { /* oops, memory allocation failed... */ > + fprintf(stderr, "Unable to allocate memory for patricia_lookup...\n"); > + return NULL; /* can we return NULL here??? */ > + } > node->bit = prefix->bitlen; > node->prefix = Ref_Prefix (prefix); > node->parent = NULL; > @@ -776,6 +787,11 @@ > } > > new_node = calloc(1, sizeof *new_node); > + if (new_node == NULL) { /* oops, unable to allocate memory for new_node */ > + fprintf(stderr, "Unable to allocate memory for new_node in patricia_lookup...\n"); > + free(node); > + return (NULL); /* can we return NULL here? */ > + } > new_node->bit = prefix->bitlen; > new_node->prefix = Ref_Prefix (prefix); > new_node->parent = NULL; > @@ -828,6 +844,12 @@ > } > else { > glue = calloc(1, sizeof *glue); > + if (glue == NULL) { /* oops, unable to allocate memory for glue... */ > + fprintf(stderr, "Unable to allocate memory for glue in patricia_lookup...\n"); > + free(new_node); > + free(node); > + return (glue); /* can we return NULL here? */ > + } > glue->bit = differ_bit; > glue->prefix = NULL; > glue->parent = node->parent; -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:54:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1431) Loss of information due to analyzer capitalization changes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1431: ------------------------------- Fix Version/s: 2.5 > Loss of information due to analyzer capitalization changes > ---------------------------------------------------------- > > Key: BIT-1431 > URL: https://bro-tracker.atlassian.net/browse/BIT-1431 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.5 > Reporter: Seth Hall > Fix For: 2.5 > > > Currently some of Bro's analyzers are changing the case of data before passing it along to events which is fairly dramatic loss of information in some cases. > The two known examples right now are the query in DNS (lowercased) and the header field name in HTTP (uppercased). The question is if we should brute force change these to stop modifying the original values and have people fix any scripts that it breaks (watching for header value names is the biggie here) or if we should use some alternate mechanism to allow the existing behavior to have a sundown time period. > I say we should just break it since the quantity of existing scripts in the world is still fairly small and the number of scripts that it affects is even less (many scripts won't be affected at all). -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:54:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1423) Add power of 2 test to file 'cq.c', test for overflow in 'nb_dns.c' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1423?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1423: ------------------------------- Resolution: Duplicate Status: Closed (was: Open) Duplicate of BIT-1424 > Add power of 2 test to file 'cq.c', test for overflow in 'nb_dns.c' > -------------------------------------------------------------------- > > Key: BIT-1423 > URL: https://bro-tracker.atlassian.net/browse/BIT-1423 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.3 > Environment: Source Code Requested Fixes > Reporter: Bill Parker > Labels: Enhancement > Fix For: 2.5 > > Attachments: nb_dns.c.patch > > > Hello All, > Here is a hunk of code which is a FIXME to the following statement: > /* XXX could check that nbuckets is a power of 2 */ > In directory 'src', file 'cq.c' > The patch file which adds this test is below: > --- cq.c.orig 2015-06-06 19:01:58.220926680 -0700 > +++ cq.c 2015-06-06 19:13:03.233446352 -0700 > @@ -444,6 +444,9 @@ > > /* XXX could check that nbuckets is a power of 2 */ > > + if ((nbuckets % 2) != 0) { /* modulus of nbuckets and 2 isn't zero, not a power of 2 */ > + return (-1); /* should we send error message to stderr? */ > + } > size = sizeof(*buckets) * nbuckets; > buckets = (struct cq_bucket *)malloc(size); > memory_allocation += size; > > If the modulus returned is zero, then nbuckets is some power of 2... > Upon further review, this is actually incorrect, and should be implemented as a lookup table for actual powers of 2, since any even value will return a modulus of zero. Here is a link which will implement the request properly (my bad): > http://www.exploringbinary.com/ten-ways-to-check-if-an-integer-is-a-power-of-two-in-c/ > ==================================================================== > In directory 'src', file 'nb_dns.c', there is a XXX comment/request > to check for overflow in function 'nb_dns_activity', the patch file > below implements the test for overflow (which should be correct > from review of T_TXT code above this): > --- nb_dns.c.orig 2015-06-06 19:29:49.447330962 -0700 > +++ nb_dns.c 2015-06-06 19:32:14.693791040 -0700 > @@ -614,6 +614,12 @@ > } > he->h_name = bp; > /* XXX check for overflow */ > + if (bp + n >= ep) { > + snprintf(errstr, NB_DNS_ERRSIZE, > + "nb dns activity(): overflow 1 for ptr"); > + nr->host_errno = NO_RECOVERY; > + return (-1); > + } > bp += n; /* returned len includes EOS */ > > /* "Find first satisfactory answer" */ > > I am attaching the patch file(s) to this bug report > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:55:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:55:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1431) Loss of information due to analyzer capitalization changes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1431: ------------------------------- Affects Version/s: (was: 2.5) 2.4 > Loss of information due to analyzer capitalization changes > ---------------------------------------------------------- > > Key: BIT-1431 > URL: https://bro-tracker.atlassian.net/browse/BIT-1431 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Seth Hall > Fix For: 2.5 > > > Currently some of Bro's analyzers are changing the case of data before passing it along to events which is fairly dramatic loss of information in some cases. > The two known examples right now are the query in DNS (lowercased) and the header field name in HTTP (uppercased). The question is if we should brute force change these to stop modifying the original values and have people fix any scripts that it breaks (watching for header value names is the biggie here) or if we should use some alternate mechanism to allow the existing behavior to have a sundown time period. > I say we should just break it since the quantity of existing scripts in the world is still fairly small and the number of scripts that it affects is even less (many scripts won't be affected at all). -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:57:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1472) Bif for a new function to calculates haversine distance between two geoip locations In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1472?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1472: ------------------------------- Fix Version/s: 2.5 > Bif for a new function to calculates haversine distance between two geoip locations > ----------------------------------------------------------------------------------- > > Key: BIT-1472 > URL: https://bro-tracker.atlassian.net/browse/BIT-1472 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: Aashish Sharma > Assignee: Daniel Thayer > Labels: bif, function > Fix For: 2.5 > > > Merge request for: > topic/aashish/haversine > ## ## Calculates haversine distance between two geoip locations > ## > ## > ## lat1, long1, lat2, long2 > ## > ## Returns: distance in miles > ## function haversine_distance%(lat1:double, long1:double, lat2:double, long2:double %): double > accompanying bro policy in base/utils/haversine_distance_ip.bro > module GLOBAL; > ## Returns the haversine distance between two IP addresses based on GeoIP > ## database locations > ## > ## > ## orig: the address of orig connection > ## resp: the address of resp server > ## Returns: the GeoIP distance between orig and resp in miles > function haversine_distance_ip(orig: addr, resp: addr): double -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 13:57:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 15:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22624#comment-22624 ] Johanna Amann commented on BIT-1413: ------------------------------------ Vlad, are all of these done? or are there still some missing? > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Vlad Grigorescu > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 14:01:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 16:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1492) Analyzers fail to attach when SYN missing In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1492: ------------------------------- Priority: Normal (was: High) > Analyzers fail to attach when SYN missing > ----------------------------------------- > > Key: BIT-1492 > URL: https://bro-tracker.atlassian.net/browse/BIT-1492 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro > Affects Versions: git/master, 2.4 > Reporter: Michal Purzynski > Fix For: 2.5 > > Attachments: https_no_syn.pcap, https.pcap > > > When the initial SYN packet is missing from the TCP connections, the conn.log gets creates but no analyzers are attached. > 1444814178.800000 C0xKJC4FTWyHP481Y3 198.18.7.165 54872 63.245.215.20 443 tcp - 1.608599 811 4856 SF - - 0 hADadFRf 8 1131 9 5228 (empty) > I've crafted the pcap to include a full session of wget https://mozilla.org and removed the initial SYN. SSL analyzer failed to attach. I can confirm the same behavior with other analyzers, too (tested HTTP). > I kind of wonder, would we lose a lot if we relaxed the rules for the 3WH a little bit? Like, allow the analyzer to continue, because it kind of looks like TCP. Kind of ;) > tshark is happy to tell me there is SSL inside, so looks like there is a hope. > 1 0.000000 63.245.215.20 -> 198.18.7.165 TCP 66 443?54872 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=1024 > 2 0.000330 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [ACK] Seq=1 Ack=1 Win=53248 Len=0 > 3 0.001698 198.18.7.165 -> 63.245.215.20 SSL 575 Client Hello > 4 0.194256 63.245.215.20 -> 198.18.7.165 TCP 54 443?54872 [ACK] Seq=1 Ack=522 Win=16384 Len=0 > 5 0.197021 63.245.215.20 -> 198.18.7.165 TLSv1.2 1514 Server Hello > 6 0.197361 63.245.215.20 -> 198.18.7.165 TCP 1514 [TCP segment of a reassembled PDU] > 7 0.197538 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [ACK] Seq=522 Ack=2921 Win=53248 Len=0 > 8 0.197857 63.245.215.20 -> 198.18.7.165 TLSv1.2 1328 Certificate > 9 0.205449 198.18.7.165 -> 63.245.215.20 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request > 10 0.400301 63.245.215.20 -> 198.18.7.165 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message > 11 0.405533 198.18.7.165 -> 63.245.215.20 TLSv1.2 218 Application Data > 12 0.598400 63.245.215.20 -> 198.18.7.165 TLSv1.2 634 Application Data > 13 0.655022 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [ACK] Seq=812 Ack=4826 Win=53248 Len=0 > 14 1.413664 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [FIN, ACK] Seq=812 Ack=4826 Win=53248 Len=0 > 15 1.607910 63.245.215.20 -> 198.18.7.165 TLSv1.2 85 Encrypted Alert > 16 1.608140 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [RST, ACK] Seq=813 Ack=4857 Win=0 Len=0 > 17 1.608599 63.245.215.20 -> 198.18.7.165 TCP 54 443?54872 [FIN, ACK] Seq=4857 Ack=813 Win=17408 Len=0 -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 14:01:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 16:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1492) Analyzers fail to attach when SYN missing In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1492: ------------------------------- Fix Version/s: 2.5 > Analyzers fail to attach when SYN missing > ----------------------------------------- > > Key: BIT-1492 > URL: https://bro-tracker.atlassian.net/browse/BIT-1492 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro > Affects Versions: git/master, 2.4 > Reporter: Michal Purzynski > Priority: High > Fix For: 2.5 > > Attachments: https_no_syn.pcap, https.pcap > > > When the initial SYN packet is missing from the TCP connections, the conn.log gets creates but no analyzers are attached. > 1444814178.800000 C0xKJC4FTWyHP481Y3 198.18.7.165 54872 63.245.215.20 443 tcp - 1.608599 811 4856 SF - - 0 hADadFRf 8 1131 9 5228 (empty) > I've crafted the pcap to include a full session of wget https://mozilla.org and removed the initial SYN. SSL analyzer failed to attach. I can confirm the same behavior with other analyzers, too (tested HTTP). > I kind of wonder, would we lose a lot if we relaxed the rules for the 3WH a little bit? Like, allow the analyzer to continue, because it kind of looks like TCP. Kind of ;) > tshark is happy to tell me there is SSL inside, so looks like there is a hope. > 1 0.000000 63.245.215.20 -> 198.18.7.165 TCP 66 443?54872 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=1024 > 2 0.000330 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [ACK] Seq=1 Ack=1 Win=53248 Len=0 > 3 0.001698 198.18.7.165 -> 63.245.215.20 SSL 575 Client Hello > 4 0.194256 63.245.215.20 -> 198.18.7.165 TCP 54 443?54872 [ACK] Seq=1 Ack=522 Win=16384 Len=0 > 5 0.197021 63.245.215.20 -> 198.18.7.165 TLSv1.2 1514 Server Hello > 6 0.197361 63.245.215.20 -> 198.18.7.165 TCP 1514 [TCP segment of a reassembled PDU] > 7 0.197538 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [ACK] Seq=522 Ack=2921 Win=53248 Len=0 > 8 0.197857 63.245.215.20 -> 198.18.7.165 TLSv1.2 1328 Certificate > 9 0.205449 198.18.7.165 -> 63.245.215.20 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request > 10 0.400301 63.245.215.20 -> 198.18.7.165 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message > 11 0.405533 198.18.7.165 -> 63.245.215.20 TLSv1.2 218 Application Data > 12 0.598400 63.245.215.20 -> 198.18.7.165 TLSv1.2 634 Application Data > 13 0.655022 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [ACK] Seq=812 Ack=4826 Win=53248 Len=0 > 14 1.413664 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [FIN, ACK] Seq=812 Ack=4826 Win=53248 Len=0 > 15 1.607910 63.245.215.20 -> 198.18.7.165 TLSv1.2 85 Encrypted Alert > 16 1.608140 198.18.7.165 -> 63.245.215.20 TCP 54 54872?443 [RST, ACK] Seq=813 Ack=4857 Win=0 Len=0 > 17 1.608599 63.245.215.20 -> 198.18.7.165 TCP 54 443?54872 [FIN, ACK] Seq=4857 Ack=813 Win=17408 Len=0 -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 14:39:00 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Mon, 19 Oct 2015 16:39:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22625#comment-22625 ] Vlad Grigorescu commented on BIT-1413: -------------------------------------- Some are still missing. This fell on the back burner. > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Vlad Grigorescu > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 15:19:00 2015 From: jira at bro-tracker.atlassian.net (Vern Paxson (JIRA)) Date: Mon, 19 Oct 2015 17:19:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-903) -b turns off -f In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22626#comment-22626 ] Vern Paxson commented on BIT-903: --------------------------------- FYI it's annoying to be told that my report is a "duplicate" of *one filed 3 years later* > -b turns off -f > --------------- > > Key: BIT-903 > URL: https://bro-tracker.atlassian.net/browse/BIT-903 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Vern Paxson > Fix For: 2.5 > > Attachments: signature.asc, single-tcp-conn-est.trace > > > Running with \-b (bare bones) disables processing by \-f. Boy did this take me a long time to figure out :-(. > Reproduce using the appended trace. Invoking with *-e 'event connection_established(c:connection) \{ print "yep"; }*' will print "yep". Invoking with that plus *-f 'not tcp*' won't print anything. But invoking with *-f 'not tcp' \-b* _does_ print "yep". -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 16:08:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 19 Oct 2015 18:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-903) -b turns off -f In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22627#comment-22627 ] Johanna Amann commented on BIT-903: ----------------------------------- Sorry about that - the message was just the very short explanation why I closed the bug. I looked at both of them and the newer one seemed to have much more interesting discussion, containing all the arguments that are included in this one. Hence I opted to keep the other one around. Still having this one here in addition---even though it is older---did not really seem to serve any purpose. > -b turns off -f > --------------- > > Key: BIT-903 > URL: https://bro-tracker.atlassian.net/browse/BIT-903 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Vern Paxson > Fix For: 2.5 > > Attachments: signature.asc, single-tcp-conn-est.trace > > > Running with \-b (bare bones) disables processing by \-f. Boy did this take me a long time to figure out :-(. > Reproduce using the appended trace. Invoking with *-e 'event connection_established(c:connection) \{ print "yep"; }*' will print "yep". Invoking with that plus *-f 'not tcp*' won't print anything. But invoking with *-f 'not tcp' \-b* _does_ print "yep". -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 18:58:00 2015 From: jira at bro-tracker.atlassian.net (Vern Paxson (JIRA)) Date: Mon, 19 Oct 2015 20:58:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-903) -b turns off -f In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22628#comment-22628 ] Vern Paxson commented on BIT-903: --------------------------------- Got it. The phrase then to use would be "Superseded by BIT-1407" > -b turns off -f > --------------- > > Key: BIT-903 > URL: https://bro-tracker.atlassian.net/browse/BIT-903 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Vern Paxson > Fix For: 2.5 > > Attachments: signature.asc, single-tcp-conn-est.trace > > > Running with \-b (bare bones) disables processing by \-f. Boy did this take me a long time to figure out :-(. > Reproduce using the appended trace. Invoking with *-e 'event connection_established(c:connection) \{ print "yep"; }*' will print "yep". Invoking with that plus *-f 'not tcp*' won't print anything. But invoking with *-f 'not tcp' \-b* _does_ print "yep". -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 19 22:54:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Tue, 20 Oct 2015 00:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1154) Formatters restructed in: topic/seth/json-formatter In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1154: --------------------------- Resolution: Fixed Status: Closed (was: Open) Let's just close this for now. > Formatters restructed in: topic/seth/json-formatter > --------------------------------------------------- > > Key: BIT-1154 > URL: https://bro-tracker.atlassian.net/browse/BIT-1154 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: Seth Hall > Assignee: Seth Hall > Fix For: 2.5 > > > topic/seth/json-formatter has an abstraction for Formatters and I created a formatters directory under threading. There is also a new JSON formatter and support in the Ascii and ElasticSearch writers for the JSON formatter. > I went ahead and threw in per-filter configuration options for the Ascii writer for all of the options that were exposed globally too. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From noreply at bro.org Tue Oct 20 00:00:32 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 20 Oct 2015 00:00:32 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510200700.t9K70Wem012128@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1488 [3] Bro Oman Security Officer - 2015-10-07 - Normal ICMP analyser incorrectly handles ICMP connections BIT-1487 [4] Bro Eric Karasuda - 2015-10-05 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [5] bro albertzaharovits [6] 2015-10-17 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #8 [8] bro-plugins michalpurzynski [9] 2015-10-17 Myricom SNF v3 packet source plugin [10] #6 [11] bro-plugins jswaro [12] 2015-10-16 Adding initial conversion of TCPRS to a plugin [13] #1 [14] broctl J-Gras [15] 2015-10-08 Added support for packet fanout load balancing [16] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1488 https://bro-tracker.atlassian.net/browse/BIT-1488 [4] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #8 https://github.com/bro/bro-plugins/pull/8 [9] michalpurzynski https://github.com/michalpurzynski [10] Merge Pull Request #8 with git pull --no-ff --no-commit https://github.com/michalpurzynski/bro-plugins.git master [11] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [12] jswaro https://github.com/jswaro [13] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [14] Pull Request #1 https://github.com/bro/broctl/pull/1 [15] J-Gras https://github.com/J-Gras [16] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Tue Oct 20 07:45:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 20 Oct 2015 09:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1487: --------------------------------- Assignee: Robin Sommer > protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response > -------------------------------------------------------------------------------------------------- > > Key: BIT-1487 > URL: https://bro-tracker.atlassian.net/browse/BIT-1487 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.4 > Reporter: Eric Karasuda > Assignee: Robin Sommer > Fix For: 2.5 > > Attachments: http-connect.patch, http-connect.pcap, output-without-patch.tar.gz, output-with-patch.tar.gz > > > Failure scenario: > * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443 > * the server responds HTTP 200 > * the proxy adds a header to the server's response (e.g. "Proxy-agent: Apache/2.4.16 (Unix)" in the attached pcap). > * SSL handshake proceeds > * Bro fails to identify the SSL handshake > As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it instantiates a child analyzer and passes the rest of the server's response to the child. In particular, this means the "Proxy-agent" header is treated as the first data transmitted in the SSL handshake. As a result, protocol detection fails. > The attached patch remembers that the HTTP 200 was received and only instantiates the child analyzer when the newline is reached at the end of the HTTP message (e.g. after the "Proxy-agent" header). > Running {{bro -C -r http-connect.pcap}} with the attached pcap should output {{output-without-patch.tar.gz}} before applying the patch (note the absence of ssl.log) and should output {{output-with-patch.tar.gz}} after applying the patch. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 09:48:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 11:48:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1442) Prevent possible segmentation violation/faults in Bro-2.3.2 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1442?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1442: ------------------------------- Resolution: Invalid Status: Closed (was: Open) I took a look at this - the bro.c patch is for broccoli. Broccoli is deprecated and will go away - because this looks like a very small edge case it is probably not worth it at this time to put this kind of fixes in. The second patch concerns the SWIG bindings of pysubnettree. This code is autogenerated by SWIG. On a first glance I am not sure if this case can ever occur (I suspect not), but if you think it might be a problem please report it to the upstream project (SWIG). > Prevent possible segmentation violation/faults in Bro-2.3.2 > ----------------------------------------------------------- > > Key: BIT-1442 > URL: https://bro-tracker.atlassian.net/browse/BIT-1442 > Project: Bro Issue Tracker > Issue Type: Patch > Components: bro-aux, Broccoli > Affects Versions: 2.3 > Environment: Linux/Windows/BSD, etc > Reporter: Bill Parker > Labels: Segmentation, Violation, fault > Attachments: bro.c.patch, SubnetTree_wrap.cc.patch > > > Hello All, > In reviewing calls to memset() in Bro-2.3.2, I came across a > pair of instances where memset could POSSIBLY be called with a > address area pointing to NULL, which would generate a segmentation > violation/fault during execution. The patch files below should > address these issues: > In directory 'bro-2.3.2/aux/broctl/aux/pysubnettree', file > 'SubnetTree_wrap.cc': > --- SubnetTree_wrap.cc.orig 2015-08-02 18:56:24.034212101 -0400 > +++ SubnetTree_wrap.cc 2015-08-02 18:59:11.242212101 -0400 > @@ -719,6 +719,8 @@ > SWIG_UnpackDataName(const char *c, void *ptr, size_t sz, const char *name) { > if (*c != '_') { > if (strcmp(c,"NULL") == 0) { > + if (ptr == NULL) /* on off chance that ptr is NULL, memset() */ > + return 0; /* will segment violation/fault, so return 0 */ > memset(ptr,0,sz); > return name; > } else { > In directory 'bro-2.3.2/aux/broccoli/src', file 'bro.c': > --- bro.c.orig 2015-08-02 19:04:00.161212101 -0400 > +++ bro.c 2015-08-02 19:05:15.608212101 -0400 > @@ -367,6 +367,9 @@ > void > bro_ctx_init(BroCtx *ctx) > { > + if (! ctx) /* paranoid, ctx must NOT be NULL */ > + return; > + > memset(ctx, 0, sizeof(BroCtx)); > } > > Comments, Questions, Suggestions, Complaints :) > I am attaching the patch file(s) to this bug report... > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 10:00:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 12:00:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1488) ICMP analyser incorrectly handles ICMP connections In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1488?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1488: ------------------------------- Status: Open (was: Merge Request) > ICMP analyser incorrectly handles ICMP connections > -------------------------------------------------- > > Key: BIT-1488 > URL: https://bro-tracker.atlassian.net/browse/BIT-1488 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Environment: Security Onion 12.4 (Linux 3.13.0-63-generic #104~precise1-Ubuntu SMP x86_64 GNU/Linux) installed On VMware Workstation (10.0.3 build-1895310) running on Windows 8.1 Enterprise > Reporter: Oman Security Officer > Labels: analyzer > Attachments: results.txt, test_icmp.bro > > > I have been testing BRO scripts on DARPA 1998 dataset (Week 3 - Wednesday) TCPDUMP [https://www.ll.mit.edu/ideval/data/1998/training/week3/wednesday/tcpdump.gz]. This file contains a lot of ICMP packets. I was testing ICMP events in BRO to understand their role. > * event *icmp_echo_request*(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) > * event *icmp_echo_reply*(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) > It seems that, the ICMP analyser does not handle the ICMP connections in the right way. I have noticed that, when I use those 2 events the "*c: connection*" variable does not return the right results. > For example, the mentioned DARPA file contains the following ICMP traces between hosts 202.72.1.77 and 172.16.112.50. the exchanged packet are summarized in the following table: > No. Time Source Destination Protocol Length Info > {color:#f6c342}28076 898088609.998513 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf305 seq=0/0 ttl=63 > 28077 898088610.000822 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf305 seq=0/0 ttl=254 > 28150 898088612.998292 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf305 seq=256/1 ttl=63 > 28151 898088612.998641 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf305 seq=256/1 ttl=254 > 28669 898088644.998259 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf405 seq=0/0 ttl=63 > 28670 898088644.998652 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf405 seq=0/0 ttl=254 > 28682 898088647.998159 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf405 seq=256/1 ttl=63 > 28683 898088647.998566 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf405 seq=256/1 ttl=254{color} > {color:#f79232}30478 898088768.759437 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf176 seq=0/0 ttl=63 > 30479 898088768.760917 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf176 seq=0/0 ttl=254 > 31016 898088797.366418 202.72.1.77 172.16.112.50 ICMP 60 Echo (ping) request id=0xf276 seq=0/0 ttl=63 > 31017 898088797.366861 172.16.112.50 202.72.1.77 ICMP 60 Echo (ping) reply id=0xf276 seq=0/0 ttl=254{color} > It can be seen that, there are 6 ICMP connections by exchanging 12 packets (6 Echo Requests and 6 Echo Replays). Whereas, Bro will handle them as 2 connections only making the final results inaccurate. > I have found that, BRO will treat all requests and replays between timestamps 898088609.998513 and 898088647.998566 as *{color:#f6c342}one connection{color}* and between timestamps 898088768.759437 and 898088797.366861 as *{color:#f79232}another connection{color}*. > The results of calling events *icmp_echo_request* and *icmp_echo_reply* on that file between the named hosts (202.72.1.77 and 172.16.112.50) can bee found in the attached file (results.txt) as well as the script file (test_icmp.bro). > The following commands were called to obtain the results > > wget -c https://www.ll.mit.edu/ideval/data/1998/training/week3/wednesday/tcpdump.gz > > gzip -d < tcpdump.gz > week3_Wednesday.tcpdump > > bro -r week3_Wednesday.tcpdump test_icmp.bro > results.txt -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 10:03:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 12:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1029) support printing arbitrary expressions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1029?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1029: ------------------------------- Resolution: Won't Fix Status: Closed (was: Open) I am closing this since there is no chance that we will make any progress on this on the medium to long term. The way that the print statement currently works in broctl will go away due to the deprecation of broccoli. It is still unclear how we will support that statement at all in the future - when/if this is implemented I am sure this will come up again. > support printing arbitrary expressions > -------------------------------------- > > Key: BIT-1029 > URL: https://bro-tracker.atlassian.net/browse/BIT-1029 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: dmandelb > Priority: Low > > {{broctl}}'s print command can be very verbose for large tables. It would be nice if it could support at least the below two styles of commands, but ideally it could support any Bro Scripting Language expression. > {noformat} > [BroControl] > print BBNHostPeering::host_peers[127.0.0.1] > [BroControl] > print |BBNHostPeering::host_peers| > {noformat} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 10:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 12:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1208) Unused Weirds In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1208: ------------------------------- Fix Version/s: 2.5 > Unused Weirds > ------------- > > Key: BIT-1208 > URL: https://bro-tracker.atlassian.net/browse/BIT-1208 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: 2.3 > Reporter: Vlad Grigorescu > Priority: Low > Fix For: 2.5 > > > The following weirds are defined and assigned an action, but aren't being generated anywhere. We should figure out which ones we want to keep around and start generating them, and which ones we can remove: > - DHCP_no_type_option > - DHCP_wrong_msg_type > - DHCP_wrong_op_type > - HTTP_unknown_method (this seems to be a simple error, as http/main is generating unknown_HTTP_method) > - corrupt_tcp_options > - data_without_SYN_ACK > - matching_undelivered_data > - dns_changed_number_of_responses > - dns_reply_seen_after_done > - excessive_RPC_len > - multiple_RPCs > - partial_RPC_request > - non_IPv4_packet -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 10:06:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 12:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-178) BroControl's check process should check for ability to set "ulimit -d" In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-178: ------------------------------ Fix Version/s: 2.5 > BroControl's check process should check for ability to set "ulimit -d" > ---------------------------------------------------------------------- > > Key: BIT-178 > URL: https://bro-tracker.atlassian.net/browse/BIT-178 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > Labels: warning > Fix For: 2.5 > > > If the bro process(es) are run as a non-root user, the "ulimit \-d" call done during the run-bro script will fail (on freebsd at least) and cause obtuse failures when the Bro processes grow beyond the default 512M data segment size (on freebsd again). The check process could verify that setting can be set and possibly give recommendations for linux and freebsd on how to increase that setting globally. > For documentation purposes, to set it globally to the value set by the run-bro script put the following in the /boot/loader.conf file and reboot: > {noformat} > kern.maxdsiz=1610612736 > {noformat} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 10:07:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 12:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-463) Create a test for large packet support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-463: ------------------------------ Resolution: Fixed Status: Closed (was: Open) Seems to work fine at one of our clusters. A test trace would still be nice, but I am closing it for now because it is not an actual bug. > Create a test for large packet support > -------------------------------------- > > Key: BIT-463 > URL: https://bro-tracker.atlassian.net/browse/BIT-463 > Project: Bro Issue Tracker > Issue Type: Test Case Missing > Components: Bro > Reporter: Seth Hall > Priority: Low > > This requires that we find a tracefile with large packets to verify that we can successfully process them. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 10:09:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 12:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1471) find-filtered-trace: minor documentation update In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1471?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1471: ------------------------------- Resolution: Solved Status: Closed (was: Open) Closing, because there does not seem anything that remains to do. If you want to take a shot and making the explanation better, please feel free to provide an updated version of it and re-open the bug. > find-filtered-trace: minor documentation update > ------------------------------------------------ > > Key: BIT-1471 > URL: https://bro-tracker.atlassian.net/browse/BIT-1471 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Affects Versions: git/master > Environment: CentOS 7, bro-master > Reporter: dop > Priority: Trivial > Labels: documentation > Attachments: detect_filtered_doc.patch > > > Just noticed that "detect_filtered_trace" should be "FilteredTraceDetection::enable". Updated the text reported to the user, not sure if the bro docs section in the comments in appropriate. Patch attached. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 10:10:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 12:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1237) Bro script declaration ordering In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1237: ------------------------------- Resolution: Fixed Status: Closed (was: Open) Closing - known language quirk in an edge-case that we will probably not change in the medium to long-term. > Bro script declaration ordering > ------------------------------- > > Key: BIT-1237 > URL: https://bro-tracker.atlassian.net/browse/BIT-1237 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Bro con training VM > Reporter: Peter Kaloroumakis > Priority: Trivial > Labels: BroScript > > During one of the scripting exercises I noticed odd behavior with items declared in the global scope: > {code} > ############################# error.bro > not working: > ------------------------------------------------ > local test_var = "test_var"; > function test_1() > { > print "test_1"; > } > print test_var; > test_1(); > >>> Output: > error in ./test.bro, line 3: syntax error, at or near "test_1" > ############################# working.bro > working: > ------------------------------------------------ > function test_1() > { > print "test_1"; > } > local test_var = "test_var"; > print test_var; > test_1(); > >>> Output: > test_var > test_1 > ############################# > {code} > To declare a function, bro 2.3 forced me to do it at the top of the file. On the exercise with the redef of the grid ftp size variable I noticed the same issue with redef, it required me to put the redef at the very top of the file. > Robin asked me to open a ticket and mentioned this was low priority. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 10:10:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 12:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1237) Bro script declaration ordering In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1237: ------------------------------- Status: Reopened (was: Closed) Resolution: (was: Fixed) > Bro script declaration ordering > ------------------------------- > > Key: BIT-1237 > URL: https://bro-tracker.atlassian.net/browse/BIT-1237 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Bro con training VM > Reporter: Peter Kaloroumakis > Priority: Trivial > Labels: BroScript > > During one of the scripting exercises I noticed odd behavior with items declared in the global scope: > {code} > ############################# error.bro > not working: > ------------------------------------------------ > local test_var = "test_var"; > function test_1() > { > print "test_1"; > } > print test_var; > test_1(); > >>> Output: > error in ./test.bro, line 3: syntax error, at or near "test_1" > ############################# working.bro > working: > ------------------------------------------------ > function test_1() > { > print "test_1"; > } > local test_var = "test_var"; > print test_var; > test_1(); > >>> Output: > test_var > test_1 > ############################# > {code} > To declare a function, bro 2.3 forced me to do it at the top of the file. On the exercise with the redef of the grid ftp size variable I noticed the same issue with redef, it required me to put the redef at the very top of the file. > Robin asked me to open a ticket and mentioned this was low priority. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 10:10:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 12:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1237) Bro script declaration ordering In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1237: ------------------------------- Resolution: Won't Fix Status: Closed (was: Reopened) > Bro script declaration ordering > ------------------------------- > > Key: BIT-1237 > URL: https://bro-tracker.atlassian.net/browse/BIT-1237 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Bro con training VM > Reporter: Peter Kaloroumakis > Priority: Trivial > Labels: BroScript > > During one of the scripting exercises I noticed odd behavior with items declared in the global scope: > {code} > ############################# error.bro > not working: > ------------------------------------------------ > local test_var = "test_var"; > function test_1() > { > print "test_1"; > } > print test_var; > test_1(); > >>> Output: > error in ./test.bro, line 3: syntax error, at or near "test_1" > ############################# working.bro > working: > ------------------------------------------------ > function test_1() > { > print "test_1"; > } > local test_var = "test_var"; > print test_var; > test_1(); > >>> Output: > test_var > test_1 > ############################# > {code} > To declare a function, bro 2.3 forced me to do it at the top of the file. On the exercise with the redef of the grid ftp size variable I noticed the same issue with redef, it required me to put the redef at the very top of the file. > Robin asked me to open a ticket and mentioned this was low priority. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 10:18:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 12:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1389) [2.3.2] broccoli-config --cflags shouldn't list -I/usr/local/include twice In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1389: ------------------------------- Resolution: Won't Fix Status: Closed (was: Open) Since this seems to be mostly a cosmetic issues and broccoli is going away in the future - closing this. Please feel free to re-open if there are any problems that are being caused by this. > [2.3.2] broccoli-config --cflags shouldn't list -I/usr/local/include twice > -------------------------------------------------------------------------- > > Key: BIT-1389 > URL: https://bro-tracker.atlassian.net/browse/BIT-1389 > Project: Bro Issue Tracker > Issue Type: Patch > Components: bro-aux > Affects Versions: 2.3 > Environment: FreeBSD fun.ee.lbl.gov 9.3-RELEASE FreeBSD 9.3-RELEASE #0 r6: Thu Oct 9 14:53:28 PDT 2014 leres at fun.ee.lbl.gov:/usr/src/9.3-SYS/amd64/compile/LBL amd64 > Reporter: leres > Priority: Low > Attachments: patch.txt > > > For a while now broccoli-config --cflags has listed /usr/local/include twice: > {noformat} > fun 75 % broccoli-config --cflags > -I/usr/local/include -I/usr/local/include -DBROCCOLI > {noformat} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Tue Oct 20 10:19:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 20 Oct 2015 12:19:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22636#comment-22636 ] Johanna Amann commented on BIT-1263: ------------------------------------ Just to ping on this - is there any chance that we will still get testcases - or do we just want to merge it without them? > Implementing three event handlers for supported data structure in Modbus Analyzer > --------------------------------------------------------------------------------- > > Key: BIT-1263 > URL: https://bro-tracker.atlassian.net/browse/BIT-1263 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: hui > Priority: Low > Labels: analyzer, modbus > Fix For: 2.5 > > > Three support data structures are defined in Modbus analyzer: > FileRecordRequest, > FileRecordResponse, > ReferenceWithData > Three event handlers are declared for them. > The changes are already made and pushed into the branch: > topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From noreply at bro.org Wed Oct 21 00:00:33 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 21 Oct 2015 00:00:33 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510210700.t9L70X8x027007@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1487 [3] Bro Eric Karasuda Robin Sommer 2015-10-20 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-10-17 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #8 [7] bro-plugins michalpurzynski [8] 2015-10-17 Myricom SNF v3 packet source plugin [9] #6 [10] bro-plugins jswaro [11] 2015-10-16 Adding initial conversion of TCPRS to a plugin [12] #1 [13] broctl J-Gras [14] 2015-10-08 Added support for packet fanout load balancing [15] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #8 https://github.com/bro/bro-plugins/pull/8 [8] michalpurzynski https://github.com/michalpurzynski [9] Merge Pull Request #8 with git pull --no-ff --no-commit https://github.com/michalpurzynski/bro-plugins.git master [10] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [11] jswaro https://github.com/jswaro [12] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [13] Pull Request #1 https://github.com/bro/broctl/pull/1 [14] J-Gras https://github.com/J-Gras [15] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Wed Oct 21 07:18:00 2015 From: jira at bro-tracker.atlassian.net (hui (JIRA)) Date: Wed, 21 Oct 2015 09:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22637#comment-22637 ] hui commented on BIT-1263: -------------------------- I don't think Robin would like to merge it without testcases. Too bad that I have not got any chance to collect some Modbus traces. But I do come across with a open source modbus library; I will try to see whether I can create some traces that can trigger these testcases by myself. Will let you guys know. > Implementing three event handlers for supported data structure in Modbus Analyzer > --------------------------------------------------------------------------------- > > Key: BIT-1263 > URL: https://bro-tracker.atlassian.net/browse/BIT-1263 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: hui > Priority: Low > Labels: analyzer, modbus > Fix For: 2.5 > > > Three support data structures are defined in Modbus analyzer: > FileRecordRequest, > FileRecordResponse, > ReferenceWithData > Three event handlers are declared for them. > The changes are already made and pushed into the branch: > topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 00:00:00 2015 From: jira at bro-tracker.atlassian.net (Naveed Khan (JIRA)) Date: Thu, 22 Oct 2015 02:00:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1494) Hey Hi can someone help me? I need some tutorials about lunching attacks and after lunching attack how to detect it In-Reply-To: References: Message-ID: Naveed Khan created BIT-1494: -------------------------------- Summary: Hey Hi can someone help me? I need some tutorials about lunching attacks and after lunching attack how to detect it Key: BIT-1494 URL: https://bro-tracker.atlassian.net/browse/BIT-1494 Project: Bro Issue Tracker Issue Type: Task Components: Bro Reporter: Naveed Khan Priority: High I am currently using Kali kali linux on VM. I am new to bro I need some help. 1) installation of bro 2) Lunching attack 3) Detect Attack Please anyone here who can help? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From noreply at bro.org Thu Oct 22 00:00:30 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 22 Oct 2015 00:00:30 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510220700.t9M70UT7022395@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] BIT-1487 [3] Bro Eric Karasuda Robin Sommer 2015-10-20 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------------------- 5ba8610 [4] bro Daniel Thayer 2015-10-21 Correct a typo in controller.bro documentation Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [5] bro albertzaharovits [6] 2015-10-17 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #9 [8] bro-plugins J-Gras [9] 2015-10-21 AF_Packet packet source plugin [10] #8 [11] bro-plugins michalpurzynski [12] 2015-10-17 Myricom SNF v3 packet source plugin [13] #6 [14] bro-plugins jswaro [15] 2015-10-16 Adding initial conversion of TCPRS to a plugin [16] #2 [17] broctl J-Gras [18] 2015-10-21 Added plugin for custom load balancing [19] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [4] 5ba8610 https://github.com/bro/bro/commit/5ba8610681725315f1027ff7e1b5717cd37b501e [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #9 https://github.com/bro/bro-plugins/pull/9 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #9 with git pull --no-ff --no-commit https://github.com/J-Gras/bro-plugins.git topic/jgras/af-packet [11] Pull Request #8 https://github.com/bro/bro-plugins/pull/8 [12] michalpurzynski https://github.com/michalpurzynski [13] Merge Pull Request #8 with git pull --no-ff --no-commit https://github.com/michalpurzynski/bro-plugins.git master [14] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [15] jswaro https://github.com/jswaro [16] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [17] Pull Request #2 https://github.com/bro/broctl/pull/2 [18] J-Gras https://github.com/J-Gras [19] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/lb-custom From jira at bro-tracker.atlassian.net Thu Oct 22 00:14:00 2015 From: jira at bro-tracker.atlassian.net (Naveed Khan (JIRA)) Date: Thu, 22 Oct 2015 02:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1494) Hey Hi can someone help me? I need some tutorials about lunching attacks and after lunching attack how to detect it In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Naveed Khan updated BIT-1494: ----------------------------- Status: Merge Request (was: In Progress) > Hey Hi can someone help me? I need some tutorials about lunching attacks and after lunching attack how to detect it > --------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1494 > URL: https://bro-tracker.atlassian.net/browse/BIT-1494 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Naveed Khan > Priority: High > > I am currently using Kali kali linux on VM. I am new to bro I need some help. > 1) installation of bro > 2) Lunching attack > 3) Detect Attack > Please anyone here who can help? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 00:14:00 2015 From: jira at bro-tracker.atlassian.net (Naveed Khan (JIRA)) Date: Thu, 22 Oct 2015 02:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1494) Hey Hi can someone help me? I need some tutorials about lunching attacks and after lunching attack how to detect it In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Naveed Khan updated BIT-1494: ----------------------------- Status: Open (was: Merge Request) > Hey Hi can someone help me? I need some tutorials about lunching attacks and after lunching attack how to detect it > --------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1494 > URL: https://bro-tracker.atlassian.net/browse/BIT-1494 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Naveed Khan > Priority: High > > I am currently using Kali kali linux on VM. I am new to bro I need some help. > 1) installation of bro > 2) Lunching attack > 3) Detect Attack > Please anyone here who can help? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 00:14:00 2015 From: jira at bro-tracker.atlassian.net (Naveed Khan (JIRA)) Date: Thu, 22 Oct 2015 02:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1494) Hey Hi can someone help me? I need some tutorials about lunching attacks and after lunching attack how to detect it In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Naveed Khan updated BIT-1494: ----------------------------- Status: In Progress (was: Open) > Hey Hi can someone help me? I need some tutorials about lunching attacks and after lunching attack how to detect it > --------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1494 > URL: https://bro-tracker.atlassian.net/browse/BIT-1494 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Naveed Khan > Priority: High > > I am currently using Kali kali linux on VM. I am new to bro I need some help. > 1) installation of bro > 2) Lunching attack > 3) Detect Attack > Please anyone here who can help? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 07:26:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 09:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1494) Hey Hi can someone help me? I need some tutorials about lunching attacks and after lunching attack how to detect it In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1494: ------------------------------- Resolution: Invalid Status: Closed (was: Open) This is not a bug. The installation of bro is covered on our homepage (https://www.bro.org/download/index.html and https://www.bro.org/sphinx/install/install.html). For help on using Bro, you can join our mailing list of Bro developers and security professionals at http://mailman.icsi.berkeley.edu/mailman/listinfo/bro. > Hey Hi can someone help me? I need some tutorials about lunching attacks and after lunching attack how to detect it > --------------------------------------------------------------------------------------------------------------------- > > Key: BIT-1494 > URL: https://bro-tracker.atlassian.net/browse/BIT-1494 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Naveed Khan > Priority: High > > I am currently using Kali kali linux on VM. I am new to bro I need some help. > 1) installation of bro > 2) Lunching attack > 3) Detect Attack > Please anyone here who can help? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 07:38:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 09:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1461) Bro Mgr Scripts Fail After Threat Intel Feed Add In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1461?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22639#comment-22639 ] Johanna Amann commented on BIT-1461: ------------------------------------ This error message shows that the value "unknown" was encountered when a enum type was expected. Hence you probably have an "unknown" in your indicator column somewhere for that data source. In Bro 2.3, encountering an undefined enum was a fatal error (i.e. Bro shut down immediately), in 2.4 it only is reported as an error from the input framework when reading the file. Just taking care that there are no such values in the input file should fix this problem. > Bro Mgr Scripts Fail After Threat Intel Feed Add > ------------------------------------------------ > > Key: BIT-1461 > URL: https://bro-tracker.atlassian.net/browse/BIT-1461 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.5 > Reporter: Tim Jackson > Priority: Low > > Getting the following on check after inclusion of 3rd party threat intel feeds. Unsure of how to continue > manager scripts failed. > internal error: Value not found in enum mappimg. Module: Intel, var: undefined, var size: 9 > /opt/bro/share/broctl/scripts/check-config: line 28: 30661 Aborted (core dumped) ${bro} "$@" > proxy scripts are ok. > calidcbrosrv001-eth1-1 scripts are ok. > calidcbrosrv001-eth1-2 scripts are ok. > Thanks > Tim -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 13:14:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 15:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1495) Fix join_string_vec for vectors with empty elements. In-Reply-To: References: Message-ID: Johanna Amann created BIT-1495: ---------------------------------- Summary: Fix join_string_vec for vectors with empty elements. Key: BIT-1495 URL: https://bro-tracker.atlassian.net/browse/BIT-1495 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.5 Please merge topic/johanna/string_vec_null. It fixes a crash when using join_string_vec with vectors that can contain empty elements. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 13:14:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 15:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1495) Fix join_string_vec for vectors with empty elements. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1495: ------------------------------- Status: Merge Request (was: Open) > Fix join_string_vec for vectors with empty elements. > ---------------------------------------------------- > > Key: BIT-1495 > URL: https://bro-tracker.atlassian.net/browse/BIT-1495 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.5 > > > Please merge topic/johanna/string_vec_null. It fixes a crash when using join_string_vec with vectors that can contain empty elements. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 13:40:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 15:40:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1496) Extend TLS dpd signatuer In-Reply-To: References: Message-ID: Johanna Amann created BIT-1496: ---------------------------------- Summary: Extend TLS dpd signatuer Key: BIT-1496 URL: https://bro-tracker.atlassian.net/browse/BIT-1496 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2,5 Please merge topic/johanna/tls_early_alert, which extends the TLS dpd signature to allow cases where the server sends a TLS alert before the Server hello. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 13:40:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 15:40:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1496) Extend TLS dpd signatuer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1496: ------------------------------- Status: Merge Request (was: Open) > Extend TLS dpd signatuer > ------------------------ > > Key: BIT-1496 > URL: https://bro-tracker.atlassian.net/browse/BIT-1496 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2,5 > > > Please merge topic/johanna/tls_early_alert, which extends the TLS dpd signature to allow cases where the server sends a TLS alert before the Server hello. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 13:43:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 15:43:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1496) Extend TLS dpd signature In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1496: ------------------------------- Summary: Extend TLS dpd signature (was: Extend TLS dpd signatuer) > Extend TLS dpd signature > ------------------------ > > Key: BIT-1496 > URL: https://bro-tracker.atlassian.net/browse/BIT-1496 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2,5 > > > Please merge topic/johanna/tls_early_alert, which extends the TLS dpd signature to allow cases where the server sends a TLS alert before the Server hello. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 13:45:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 15:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22640#comment-22640 ] Johanna Amann commented on BIT-1490: ------------------------------------ Is this ready to be merged? > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 13:53:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 15:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1482) Crash from: "tcmalloc: large alloc" In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22641#comment-22641 ] Johanna Amann commented on BIT-1482: ------------------------------------ That seems likely. BIT-964 already mentions that Bro can have memory problems because of DNS. Just to check - is/was DNS correctly configured in that machine? > Crash from: "tcmalloc: large alloc" > ----------------------------------- > > Key: BIT-1482 > URL: https://bro-tracker.atlassian.net/browse/BIT-1482 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Aaron Eppert > Attachments: redacted-crash-diag.log.bz2 > > > core.91861 > [New Thread 91861] > [New Thread 91871] > [New Thread 91872] > [New Thread 91873] > [Thread debugging using libthread_db enabled] > Core was generated by `/usr/local/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p'. > Program terminated with signal 11, Segmentation fault. > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > in /mnt/hgfs/src/psdev/bro/src/Serializer.h > Thread 4 (Thread 0x7fb7ce219700 (LWP 91873)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e10c38) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 3 (Thread 0x7fb7cec1a700 (LWP 91872)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e11838) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 2 (Thread 0x7fb7cf61b700 (LWP 91871)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e12438) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 1 (Thread 0x7fb84fc06800 (LWP 91861)): > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > #1 0x0000000000817fb4 in SerialObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:268 > #2 0x00000000007e1be2 in BroObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Obj.cc:226 > #3 0x00000000008459b4 in BroType::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:283 > #4 0x000000000081788a in SerialObj::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #5 0x0000000000845670 in BroType::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #6 0x0000000000742c72 in Attributes::DoSerialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #7 0x000000000081788a in SerialObj::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #8 0x0000000000742b1b in Attributes::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #9 0x0000000000848ab5 in TypeDecl::Serialize (this=0x2c05ec0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #10 0x000000000084a01a in RecordType::DoSerialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #11 0x000000000081788a in SerialObj::Serialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > ... (pattern repeats .... ) > ... > #116924 0x0000000000845670 in BroType::Serialize (this=0x4740480, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116925 0x0000000000742c72 in Attributes::DoSerialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116926 0x000000000081788a in SerialObj::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116927 0x0000000000742b1b in Attributes::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116928 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47eae00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116929 0x000000000084a01a in RecordType::DoSerialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116930 0x000000000081788a in SerialObj::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116931 0x0000000000845670 in BroType::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116932 0x0000000000742c72 in Attributes::DoSerialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116933 0x000000000081788a in SerialObj::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116934 0x0000000000742b1b in Attributes::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116935 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47e81c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116936 0x000000000084a01a in RecordType::DoSerialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116937 0x000000000081788a in SerialObj::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116938 0x0000000000845670 in BroType::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116939 0x0000000000854a9e in Val::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:188 > #116940 0x00000000008562bc in MutableVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:656 > #116941 0x000000000085efb2 in RecordVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:2813 > #116942 0x000000000081788a in SerialObj::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116943 0x0000000000854643 in Val::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:100 > #116944 0x0000000000854511 in Val::Clone (this=0x6b92760) at /mnt/hgfs/src/psdev/bro/src/Val.cc:83 > #116945 0x00000000007a4d91 in Frame::Clone (this=0x8b612d0) at /mnt/hgfs/src/psdev/bro/src/Frame.cc:78 > #116946 0x0000000000841676 in Trigger::Trigger (this=0x2b79dc0, arg_cond=0x4ae81c0, arg_body=0x4af3600, arg_timeout_stmts=0x0, arg_timeout=0x0, arg_frame=0x8b612d0, arg_is_return=false, arg_location=0x4b4d280) at /mnt/hgfs/src/psdev/bro/src/Trigger.cc:108 > #116947 0x000000000083db0e in WhenStmt::Exec (this=0x4b3eba0, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:2166 > #116948 0x000000000083c17b in StmtList::Exec (this=0x4af4260, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116949 0x000000000083c17b in StmtList::Exec (this=0x4b56540, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116950 0x00000000007a649b in BroFunc::Call (this=0x3099030, args=0x82c33e0, parent=0x0) at /mnt/hgfs/src/psdev/bro/src/Func.cc:386 > #116951 0x000000000077f12e in EventHandler::Call (this=0x3084600, vl=0x82c33e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/EventHandler.cc:80 > #116952 0x0000000000732965 in Event::Dispatch (this=0xb5004e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/Event.h:50 > #116953 0x000000000077e85d in EventMgr::Dispatch (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:111 > #116954 0x000000000077e968 in EventMgr::Drain (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:128 > #116955 0x00000000007ddd66 in net_packet_dispatch (t=1442838074.400739, hdr=0x4d73140, pkt=0x7fb7db8622fc
, hdr_size=14, src_ps=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/Net.cc:278 > #116956 0x0000000000af1ed6 in iosource::PktSrc::Process (this=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/iosource/PktSrc.cc:411 > #116957 0x00000000007ddf6f in net_run () at /mnt/hgfs/src/psdev/bro/src/Net.cc:320 > #116958 0x00000000007319aa in main (argc=18, argv=0x7ffde1aa3af8) at /mnt/hgfs/src/psdev/bro/src/main.cc:1200 > ==== No reporter.log > ==== stderr.log > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: GNU General Public License for more details. > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: You should have received a copy of the GNU General Public License > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: along with tcplog. If not, see . > listening on eth1, capture length 65535 bytes > processing suspended > processing continued > tcmalloc: large alloc 1562509312 bytes == 0x498f0000 @ 0x7fb85004b4ac 0x7fb85006b22c 0x73b0e5 0x815270 0x81627e 0x7437f8 0x742ddd 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x848b3b 0x84a01a 0x81788a 0x845670 0x846db0 0x84759e 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b > /usr/local/bro/share/broctl/scripts/run-bro: line 85: 91861 Segmentation fault (core dumped) nohup ${pin_command} $pin_cpu $mybro "$@" > ---- > (gdb) frame 0 > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") > at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > 57 DECLARE_IO(uint16) > (gdb) print *this > $8 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, format = 0x89def00, > current_cache = 0x0, error_descr = 0x0} > (gdb) print *this > $10 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, > format = 0x89def00, current_cache = 0x0, error_descr = 0x0} > (gdb) print *this->format > $11 = {_vptr.SerializationFormat = 0xb74dd0, static INITIAL_SIZE = 65536, static GROWTH_FACTOR = 2.5, > output = 0x498f0000 "\001", output_size = 1562499968, output_pos = 852829181, input = 0x0, input_len = 0, input_pos = 0, > bytes_written = 852829181, bytes_read = 0} > The stack trace and the problem seems to be similar to: > http://mailman.icsi.berkeley.edu/pipermail/bro/2015-March/008241.html -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 13:56:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Thu, 22 Oct 2015 15:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1482) Crash from: "tcmalloc: large alloc" In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22642#comment-22642 ] Aaron Eppert commented on BIT-1482: ----------------------------------- Yes. DNS was correctly set on the machine. It is fairly sporadic, but consistent with where it crashed. I am assuming, based on the VM and general infrastructure, if there was a bottle neck upstream in DNS or the machine itself was overloaded, then the connection the resolver would fail and then Bro would crash. I had it going days without happening, then load down the underlying machine, plus the VM and it would happen a lot more often, usually in under an hour depending on load. Always the same script and I can only assume it is lookup_hostname_txt related given BIT-964 and the removal of the script from local.bro everything has been working perfectly. > Crash from: "tcmalloc: large alloc" > ----------------------------------- > > Key: BIT-1482 > URL: https://bro-tracker.atlassian.net/browse/BIT-1482 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Aaron Eppert > Attachments: redacted-crash-diag.log.bz2 > > > core.91861 > [New Thread 91861] > [New Thread 91871] > [New Thread 91872] > [New Thread 91873] > [Thread debugging using libthread_db enabled] > Core was generated by `/usr/local/bro/bin/bro -i eth1 -U .status -p broctl -p broctl-live -p local -p'. > Program terminated with signal 11, Segmentation fault. > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > in /mnt/hgfs/src/psdev/bro/src/Serializer.h > Thread 4 (Thread 0x7fb7ce219700 (LWP 91873)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e10c38) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e10c00) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 3 (Thread 0x7fb7cec1a700 (LWP 91872)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e11838) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e11800) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 2 (Thread 0x7fb7cf61b700 (LWP 91871)): > #0 0x0000003b8f00ba0e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0 > #1 0x000000000086f551 in threading::Queue::Get (this=0x3e12438) at /mnt/hgfs/src/psdev/bro/src/threading/Queue.h:173 > #2 0x000000000086dcfb in threading::MsgThread::RetrieveIn (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:349 > #3 0x000000000086de02 in threading::MsgThread::Run (this=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/MsgThread.cc:366 > #4 0x000000000086a2c6 in threading::BasicThread::launcher (arg=0x3e12400) at /mnt/hgfs/src/psdev/bro/src/threading/BasicThread.cc:201 > #5 0x0000003b8f007a51 in start_thread () from /lib64/libpthread.so.0 > #6 0x0000003b8ece89ad in clone () from /lib64/libc.so.6 > Thread 1 (Thread 0x7fb84fc06800 (LWP 91861)): > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > #1 0x0000000000817fb4 in SerialObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:268 > #2 0x00000000007e1be2 in BroObj::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Obj.cc:226 > #3 0x00000000008459b4 in BroType::DoSerialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:283 > #4 0x000000000081788a in SerialObj::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #5 0x0000000000845670 in BroType::Serialize (this=0x2c2a400, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #6 0x0000000000742c72 in Attributes::DoSerialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #7 0x000000000081788a in SerialObj::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #8 0x0000000000742b1b in Attributes::Serialize (this=0x2c2afc0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #9 0x0000000000848ab5 in TypeDecl::Serialize (this=0x2c05ec0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #10 0x000000000084a01a in RecordType::DoSerialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #11 0x000000000081788a in SerialObj::Serialize (this=0x2aea340, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > ... (pattern repeats .... ) > ... > #116924 0x0000000000845670 in BroType::Serialize (this=0x4740480, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116925 0x0000000000742c72 in Attributes::DoSerialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116926 0x000000000081788a in SerialObj::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116927 0x0000000000742b1b in Attributes::Serialize (this=0x4808e00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116928 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47eae00, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116929 0x000000000084a01a in RecordType::DoSerialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116930 0x000000000081788a in SerialObj::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116931 0x0000000000845670 in BroType::Serialize (this=0x4847e60, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116932 0x0000000000742c72 in Attributes::DoSerialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:516 > #116933 0x000000000081788a in SerialObj::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116934 0x0000000000742b1b in Attributes::Serialize (this=0x48081c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Attr.cc:500 > #116935 0x0000000000848ab5 in TypeDecl::Serialize (this=0x47e81c0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:929 > #116936 0x000000000084a01a in RecordType::DoSerialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:1250 > #116937 0x000000000081788a in SerialObj::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116938 0x0000000000845670 in BroType::Serialize (this=0x2aec4a0, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Type.cc:212 > #116939 0x0000000000854a9e in Val::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:188 > #116940 0x00000000008562bc in MutableVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:656 > #116941 0x000000000085efb2 in RecordVal::DoSerialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:2813 > #116942 0x000000000081788a in SerialObj::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/SerialObj.cc:121 > #116943 0x0000000000854643 in Val::Serialize (this=0x6b92760, info=0x7ffde1aa2d60) at /mnt/hgfs/src/psdev/bro/src/Val.cc:100 > #116944 0x0000000000854511 in Val::Clone (this=0x6b92760) at /mnt/hgfs/src/psdev/bro/src/Val.cc:83 > #116945 0x00000000007a4d91 in Frame::Clone (this=0x8b612d0) at /mnt/hgfs/src/psdev/bro/src/Frame.cc:78 > #116946 0x0000000000841676 in Trigger::Trigger (this=0x2b79dc0, arg_cond=0x4ae81c0, arg_body=0x4af3600, arg_timeout_stmts=0x0, arg_timeout=0x0, arg_frame=0x8b612d0, arg_is_return=false, arg_location=0x4b4d280) at /mnt/hgfs/src/psdev/bro/src/Trigger.cc:108 > #116947 0x000000000083db0e in WhenStmt::Exec (this=0x4b3eba0, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:2166 > #116948 0x000000000083c17b in StmtList::Exec (this=0x4af4260, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116949 0x000000000083c17b in StmtList::Exec (this=0x4b56540, f=0x8b612d0, flow=@0x7ffde1aa3064) at /mnt/hgfs/src/psdev/bro/src/Stmt.cc:1764 > #116950 0x00000000007a649b in BroFunc::Call (this=0x3099030, args=0x82c33e0, parent=0x0) at /mnt/hgfs/src/psdev/bro/src/Func.cc:386 > #116951 0x000000000077f12e in EventHandler::Call (this=0x3084600, vl=0x82c33e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/EventHandler.cc:80 > #116952 0x0000000000732965 in Event::Dispatch (this=0xb5004e0, no_remote=false) at /mnt/hgfs/src/psdev/bro/src/Event.h:50 > #116953 0x000000000077e85d in EventMgr::Dispatch (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:111 > #116954 0x000000000077e968 in EventMgr::Drain (this=0xf66ee0) at /mnt/hgfs/src/psdev/bro/src/Event.cc:128 > #116955 0x00000000007ddd66 in net_packet_dispatch (t=1442838074.400739, hdr=0x4d73140, pkt=0x7fb7db8622fc
, hdr_size=14, src_ps=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/Net.cc:278 > #116956 0x0000000000af1ed6 in iosource::PktSrc::Process (this=0x4d73000) at /mnt/hgfs/src/psdev/bro/src/iosource/PktSrc.cc:411 > #116957 0x00000000007ddf6f in net_run () at /mnt/hgfs/src/psdev/bro/src/Net.cc:320 > #116958 0x00000000007319aa in main (argc=18, argv=0x7ffde1aa3af8) at /mnt/hgfs/src/psdev/bro/src/main.cc:1200 > ==== No reporter.log > ==== stderr.log > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: GNU General Public License for more details. > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: You should have received a copy of the GNU General Public License > internal warning in /usr/local/bro/share/bro/base/frameworks/control/./main.bro, line 1: Discarded extraneous Broxygen comment: along with tcplog. If not, see . > listening on eth1, capture length 65535 bytes > processing suspended > processing continued > tcmalloc: large alloc 1562509312 bytes == 0x498f0000 @ 0x7fb85004b4ac 0x7fb85006b22c 0x73b0e5 0x815270 0x81627e 0x7437f8 0x742ddd 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x848b3b 0x84a01a 0x81788a 0x845670 0x846db0 0x84759e 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b 0x848ab5 0x84a01a 0x81788a 0x845670 0x742c72 0x81788a 0x742b1b > /usr/local/bro/share/broctl/scripts/run-bro: line 85: 91861 Segmentation fault (core dumped) nohup ${pin_command} $pin_cpu $mybro "$@" > ---- > (gdb) frame 0 > #0 0x000000000081816b in Serializer::Write (this=0x7ffde1aa2d00, v=35329, tag=0xb752df "stype") > at /mnt/hgfs/src/psdev/bro/src/Serializer.h:57 > 57 DECLARE_IO(uint16) > (gdb) print *this > $8 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, format = 0x89def00, > current_cache = 0x0, error_descr = 0x0} > (gdb) print *this > $10 = {_vptr.Serializer = 0xb7dc50, static MAGIC = 1112691540, static DATA_FORMAT_VERSION = 25, io = 0x0, > format = 0x89def00, current_cache = 0x0, error_descr = 0x0} > (gdb) print *this->format > $11 = {_vptr.SerializationFormat = 0xb74dd0, static INITIAL_SIZE = 65536, static GROWTH_FACTOR = 2.5, > output = 0x498f0000 "\001", output_size = 1562499968, output_pos = 852829181, input = 0x0, input_len = 0, input_pos = 0, > bytes_written = 852829181, bytes_read = 0} > The stack trace and the problem seems to be similar to: > http://mailman.icsi.berkeley.edu/pipermail/bro/2015-March/008241.html -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 13:57:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 15:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1191) Update libgeoip support for new API version In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22643#comment-22643 ] Johanna Amann commented on BIT-1191: ------------------------------------ Seth mentioned we should potentially do this for 2.5. This also would be a good oportunity to merge the changes of Aashish in BIT-1472 > Update libgeoip support for new API version > ------------------------------------------- > > Key: BIT-1191 > URL: https://bro-tracker.atlassian.net/browse/BIT-1191 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: 2.4 > Reporter: Seth Hall > Fix For: 2.5 > > > MaxMind has released a new version of the GeoIP api and we should update to support the old and new APIs. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 13:57:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 15:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1191) Update libgeoip support for new API version In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1191: ------------------------------- Fix Version/s: 2.5 > Update libgeoip support for new API version > ------------------------------------------- > > Key: BIT-1191 > URL: https://bro-tracker.atlassian.net/browse/BIT-1191 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: 2.4 > Reporter: Seth Hall > Fix For: 2.5 > > > MaxMind has released a new version of the GeoIP api and we should update to support the old and new APIs. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 14:02:00 2015 From: jira at bro-tracker.atlassian.net (Lloyd Brown (JIRA)) Date: Thu, 22 Oct 2015 16:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1497) pattern [:space:] shortcut not matching as expected In-Reply-To: References: Message-ID: Lloyd Brown created BIT-1497: -------------------------------- Summary: pattern [:space:] shortcut not matching as expected Key: BIT-1497 URL: https://bro-tracker.atlassian.net/browse/BIT-1497 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Environment: Running tests using Bro 2.4.1 (precompiled from http://download.opensuse.org/repositories/network:/bro/xUbuntu_14.10/) on Ubuntu 14.10. Running using a simple "/opt/bro/bin/bro myscript.bro" syntax. Reporter: Lloyd Brown Attachments: patterns.space_shortcut.testcase.bro, patterns.space_shortcut.testcase.bro.output I'm trying to do some RegEx-like pattern matching of a data stream using Bro, and I'm finding that, at least some of the shortcuts, like '[:space:]' don't seem to act as expected. In short, I expected that '[:space:]' and '[ \f\n\r\t\v]' would be interchangeable, but that doesn't seem to be the case. I have not tested any other shortcuts like '[:alpha:]', '[:digit:]', etc. Just '[:space:]' so far. I will attach an example script, as well as a file containing the output I'm seeing. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 14:04:02 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 16:04:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1265) Single sided HTTP POST split In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1265: ------------------------------- Resolution: Won't Fix Status: Closed (was: Open) I am closing this for now. It is one of the well-known gotchas of the current Bro implementation, that it does not deal well with one-sided traffic. We should fix that at some point in the future - however, it will not be forgotten and extends way beyond the issues indicated in this bug. If there is any more need for discussion, feel free to re-open. > Single sided HTTP POST split > ---------------------------- > > Key: BIT-1265 > URL: https://bro-tracker.atlassian.net/browse/BIT-1265 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: CentOS 6 > Reporter: Jimmy Jones > Fix For: 2.5 > > Attachments: sample-upload2-all.pcap, sample-upload2-req.pcap > > > Attached two pcap samples, one is a single sided version of the other, an HTTP POST. > When I process the single sided version (sample-upload2-req) conn.log shows two sessions (the HTTP POST tcp connection that has been split) and http.log shows a partial upload. However processing the original sample (sample-upload2-all) everything is as expected - one connection in conn.log and a complete http.log > Are there any parameters I can tweak to make this work? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 14:08:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 22 Oct 2015 16:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1251) content_gap not being raised In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1251: ------------------------------- Resolution: Won't Fix Status: Closed (was: Open) Closing since this is current intended behavior and there is nothing to be done. > content_gap not being raised > ---------------------------- > > Key: BIT-1251 > URL: https://bro-tracker.atlassian.net/browse/BIT-1251 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: Fedora 20 > Reporter: Jimmy Jones > Attachments: analyser.bro, test5-10mb.pcap.gz > > > Using the attached bro script, I extract out the http response, which contains some null padding for the missing packets. However the content_gap event never gets raised, despite http_entity_data not receiving the entire download. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 14:15:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 22 Oct 2015 16:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1497) pattern [:space:] shortcut not matching as expected In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22646#comment-22646 ] Robin Sommer commented on BIT-1497: ----------------------------------- Ah, I see the problem: you need to write it like this: {noformat} /[[:space:]]/ {noformat} (i.e., double brackets). These work only inside a character class (which I believe is standard behavior). > pattern [:space:] shortcut not matching as expected > --------------------------------------------------- > > Key: BIT-1497 > URL: https://bro-tracker.atlassian.net/browse/BIT-1497 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: Running tests using Bro 2.4.1 (precompiled from http://download.opensuse.org/repositories/network:/bro/xUbuntu_14.10/) on Ubuntu 14.10. > Running using a simple "/opt/bro/bin/bro myscript.bro" syntax. > Reporter: Lloyd Brown > Labels: pattern > Attachments: patterns.space_shortcut.testcase.bro, patterns.space_shortcut.testcase.bro.output > > > I'm trying to do some RegEx-like pattern matching of a data stream using Bro, and I'm finding that, at least some of the shortcuts, like '[:space:]' don't seem to act as expected. > In short, I expected that '[:space:]' and '[ \f\n\r\t\v]' would be interchangeable, but that doesn't seem to be the case. I have not tested any other shortcuts like '[:alpha:]', '[:digit:]', etc. Just '[:space:]' so far. > I will attach an example script, as well as a file containing the output I'm seeing. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 14:28:00 2015 From: jira at bro-tracker.atlassian.net (Lloyd Brown (JIRA)) Date: Thu, 22 Oct 2015 16:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1497) pattern [:space:] shortcut not matching as expected In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22647#comment-22647 ] Lloyd Brown commented on BIT-1497: ---------------------------------- That seems to be the case. Sorry to annoy you unnecessarily. To be honest, I'm more familiar with the PCRE-style shortcuts (eg '\s') than this style. Those can exist either inside or outside a char class. Old habits, I guess..... Thanks, Lloyd > pattern [:space:] shortcut not matching as expected > --------------------------------------------------- > > Key: BIT-1497 > URL: https://bro-tracker.atlassian.net/browse/BIT-1497 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: Running tests using Bro 2.4.1 (precompiled from http://download.opensuse.org/repositories/network:/bro/xUbuntu_14.10/) on Ubuntu 14.10. > Running using a simple "/opt/bro/bin/bro myscript.bro" syntax. > Reporter: Lloyd Brown > Labels: pattern > Attachments: patterns.space_shortcut.testcase.bro, patterns.space_shortcut.testcase.bro.output > > > I'm trying to do some RegEx-like pattern matching of a data stream using Bro, and I'm finding that, at least some of the shortcuts, like '[:space:]' don't seem to act as expected. > In short, I expected that '[:space:]' and '[ \f\n\r\t\v]' would be interchangeable, but that doesn't seem to be the case. I have not tested any other shortcuts like '[:alpha:]', '[:digit:]', etc. Just '[:space:]' so far. > I will attach an example script, as well as a file containing the output I'm seeing. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 14:34:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 22 Oct 2015 16:34:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1497) pattern [:space:] shortcut not matching as expected In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22648#comment-22648 ] Robin Sommer commented on BIT-1497: ----------------------------------- No problem. > pattern [:space:] shortcut not matching as expected > --------------------------------------------------- > > Key: BIT-1497 > URL: https://bro-tracker.atlassian.net/browse/BIT-1497 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: Running tests using Bro 2.4.1 (precompiled from http://download.opensuse.org/repositories/network:/bro/xUbuntu_14.10/) on Ubuntu 14.10. > Running using a simple "/opt/bro/bin/bro myscript.bro" syntax. > Reporter: Lloyd Brown > Labels: pattern > Attachments: patterns.space_shortcut.testcase.bro, patterns.space_shortcut.testcase.bro.output > > > I'm trying to do some RegEx-like pattern matching of a data stream using Bro, and I'm finding that, at least some of the shortcuts, like '[:space:]' don't seem to act as expected. > In short, I expected that '[:space:]' and '[ \f\n\r\t\v]' would be interchangeable, but that doesn't seem to be the case. I have not tested any other shortcuts like '[:alpha:]', '[:digit:]', etc. Just '[:space:]' so far. > I will attach an example script, as well as a file containing the output I'm seeing. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Thu Oct 22 14:35:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 22 Oct 2015 16:35:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1497) pattern [:space:] shortcut not matching as expected In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1497: ------------------------------ Resolution: Invalid Status: Closed (was: Open) > pattern [:space:] shortcut not matching as expected > --------------------------------------------------- > > Key: BIT-1497 > URL: https://bro-tracker.atlassian.net/browse/BIT-1497 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: Running tests using Bro 2.4.1 (precompiled from http://download.opensuse.org/repositories/network:/bro/xUbuntu_14.10/) on Ubuntu 14.10. > Running using a simple "/opt/bro/bin/bro myscript.bro" syntax. > Reporter: Lloyd Brown > Labels: pattern > Attachments: patterns.space_shortcut.testcase.bro, patterns.space_shortcut.testcase.bro.output > > > I'm trying to do some RegEx-like pattern matching of a data stream using Bro, and I'm finding that, at least some of the shortcuts, like '[:space:]' don't seem to act as expected. > In short, I expected that '[:space:]' and '[ \f\n\r\t\v]' would be interchangeable, but that doesn't seem to be the case. I have not tested any other shortcuts like '[:alpha:]', '[:digit:]', etc. Just '[:space:]' so far. > I will attach an example script, as well as a file containing the output I'm seeing. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From noreply at bro.org Fri Oct 23 00:00:32 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 23 Oct 2015 00:00:32 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510230700.t9N70Wh9003993@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------------------------------------------- BIT-1496 [1] Bro Johanna Amann - 2015-10-22 2,5 Normal Extend TLS dpd signature BIT-1495 [2] Bro Johanna Amann - 2015-10-22 2.5 Normal Fix join_string_vec for vectors with empty elements. BIT-1489 [3] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [4] BIT-1487 [5] Bro Eric Karasuda Robin Sommer 2015-10-20 2.5 Normal protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------------------- 5ba8610 [6] bro Daniel Thayer 2015-10-21 Correct a typo in controller.bro documentation Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [7] bro albertzaharovits [8] 2015-10-17 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #9 [10] bro-plugins J-Gras [11] 2015-10-21 AF_Packet packet source plugin [12] #8 [13] bro-plugins michalpurzynski [14] 2015-10-17 Myricom SNF v3 packet source plugin [15] #6 [16] bro-plugins jswaro [17] 2015-10-16 Adding initial conversion of TCPRS to a plugin [18] #2 [19] broctl J-Gras [20] 2015-10-21 Added plugin for custom load balancing [21] [1] BIT-1496 https://bro-tracker.atlassian.net/browse/BIT-1496 [2] BIT-1495 https://bro-tracker.atlassian.net/browse/BIT-1495 [3] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [4] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [5] BIT-1487 https://bro-tracker.atlassian.net/browse/BIT-1487 [6] 5ba8610 https://github.com/bro/bro/commit/5ba8610681725315f1027ff7e1b5717cd37b501e [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #9 https://github.com/bro/bro-plugins/pull/9 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #9 with git pull --no-ff --no-commit https://github.com/J-Gras/bro-plugins.git topic/jgras/af-packet [13] Pull Request #8 https://github.com/bro/bro-plugins/pull/8 [14] michalpurzynski https://github.com/michalpurzynski [15] Merge Pull Request #8 with git pull --no-ff --no-commit https://github.com/michalpurzynski/bro-plugins.git master [16] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [17] jswaro https://github.com/jswaro [18] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [19] Pull Request #2 https://github.com/bro/broctl/pull/2 [20] J-Gras https://github.com/J-Gras [21] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/lb-custom From jira at bro-tracker.atlassian.net Fri Oct 23 11:06:02 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 23 Oct 2015 13:06:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-672) Bring POP3 back into the distribution In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22649#comment-22649 ] Johanna Amann commented on BIT-672: ----------------------------------- Do we still want to do this and just keep it deactivated? I actually would not really have a problem with that, it does not really change a lot. Or do we just want to say that we are never going to bring back POP3? > Bring POP3 back into the distribution > ------------------------------------- > > Key: BIT-672 > URL: https://bro-tracker.atlassian.net/browse/BIT-672 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Matthias Vallentin > Assignee: Seth Hall > Fix For: 2.5 > > > The current master has no longer support for POP3. It lingers around but we need to bring it back into the distribution. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Fri Oct 23 14:14:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 23 Oct 2015 16:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1496) Extend TLS dpd signature In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1496: --------------------------------- Assignee: Robin Sommer > Extend TLS dpd signature > ------------------------ > > Key: BIT-1496 > URL: https://bro-tracker.atlassian.net/browse/BIT-1496 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > Fix For: 2,5 > > > Please merge topic/johanna/tls_early_alert, which extends the TLS dpd signature to allow cases where the server sends a TLS alert before the Server hello. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Fri Oct 23 14:15:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 23 Oct 2015 16:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1495) Fix join_string_vec for vectors with empty elements. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1495: --------------------------------- Assignee: Robin Sommer > Fix join_string_vec for vectors with empty elements. > ---------------------------------------------------- > > Key: BIT-1495 > URL: https://bro-tracker.atlassian.net/browse/BIT-1495 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > Fix For: 2.5 > > > Please merge topic/johanna/string_vec_null. It fixes a crash when using join_string_vec with vectors that can contain empty elements. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Fri Oct 23 15:25:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 23 Oct 2015 17:25:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1496) Extend TLS dpd signature In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1496: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Extend TLS dpd signature > ------------------------ > > Key: BIT-1496 > URL: https://bro-tracker.atlassian.net/browse/BIT-1496 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > Fix For: 2,5 > > > Please merge topic/johanna/tls_early_alert, which extends the TLS dpd signature to allow cases where the server sends a TLS alert before the Server hello. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Fri Oct 23 15:25:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 23 Oct 2015 17:25:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1495) Fix join_string_vec for vectors with empty elements. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1495: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Fix join_string_vec for vectors with empty elements. > ---------------------------------------------------- > > Key: BIT-1495 > URL: https://bro-tracker.atlassian.net/browse/BIT-1495 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > Fix For: 2.5 > > > Please merge topic/johanna/string_vec_null. It fixes a crash when using join_string_vec with vectors that can contain empty elements. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Fri Oct 23 15:30:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 23 Oct 2015 17:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1487: ------------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Merged in c151a258438d62a0aa5202192d84deb62d53f4bd > protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response > -------------------------------------------------------------------------------------------------- > > Key: BIT-1487 > URL: https://bro-tracker.atlassian.net/browse/BIT-1487 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.4 > Reporter: Eric Karasuda > Assignee: Robin Sommer > Fix For: 2.5 > > Attachments: http-connect.patch, http-connect.pcap, output-without-patch.tar.gz, output-with-patch.tar.gz > > > Failure scenario: > * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443 > * the server responds HTTP 200 > * the proxy adds a header to the server's response (e.g. "Proxy-agent: Apache/2.4.16 (Unix)" in the attached pcap). > * SSL handshake proceeds > * Bro fails to identify the SSL handshake > As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it instantiates a child analyzer and passes the rest of the server's response to the child. In particular, this means the "Proxy-agent" header is treated as the first data transmitted in the SSL handshake. As a result, protocol detection fails. > The attached patch remembers that the HTTP 200 was received and only instantiates the child analyzer when the newline is reached at the end of the HTTP message (e.g. after the "Proxy-agent" header). > Running {{bro -C -r http-connect.pcap}} with the attached pcap should output {{output-without-patch.tar.gz}} before applying the patch (note the absence of ssl.log) and should output {{output-with-patch.tar.gz}} after applying the patch. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Fri Oct 23 19:11:00 2015 From: jira at bro-tracker.atlassian.net (scampbell (JIRA)) Date: Fri, 23 Oct 2015 21:11:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1498) add '-q' to ssh execution in ssh_runner.py In-Reply-To: References: Message-ID: scampbell created BIT-1498: ------------------------------ Summary: add '-q' to ssh execution in ssh_runner.py Key: BIT-1498 URL: https://bro-tracker.atlassian.net/browse/BIT-1498 Project: Bro Issue Tracker Issue Type: Patch Components: BroControl Affects Versions: 2.4 Reporter: scampbell When using broctl in an environment with login banners, they will be displayed in the broctl command. In the event that they can not be configured away on the sshd end using '-q' avoids displaying the banner on the client side. The patch is trivial: --- a/BroControl/ssh_runner.py +++ b/BroControl/ssh_runner.py @@ -108,6 +108,7 @@ class SSHMaster: self.base_cmd = [ "ssh", "-o", "BatchMode=yes", + "-q", host, ] self.need_connect = True -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From noreply at bro.org Sat Oct 24 00:00:29 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 24 Oct 2015 00:00:29 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510240700.t9O70ThK004619@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-10-24 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #9 [6] bro-plugins J-Gras [7] 2015-10-23 AF_Packet packet source plugin [8] #8 [9] bro-plugins michalpurzynski [10] 2015-10-17 Myricom SNF v3 packet source plugin [11] #6 [12] bro-plugins jswaro [13] 2015-10-16 Adding initial conversion of TCPRS to a plugin [14] #2 [15] broctl J-Gras [16] 2015-10-21 Added plugin for custom load balancing [17] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #9 https://github.com/bro/bro-plugins/pull/9 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #9 with git pull --no-ff --no-commit https://github.com/J-Gras/bro-plugins.git topic/jgras/af-packet [9] Pull Request #8 https://github.com/bro/bro-plugins/pull/8 [10] michalpurzynski https://github.com/michalpurzynski [11] Merge Pull Request #8 with git pull --no-ff --no-commit https://github.com/michalpurzynski/bro-plugins.git master [12] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [13] jswaro https://github.com/jswaro [14] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [15] Pull Request #2 https://github.com/bro/broctl/pull/2 [16] J-Gras https://github.com/J-Gras [17] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/lb-custom From noreply at bro.org Sun Oct 25 00:00:32 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 25 Oct 2015 00:00:32 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510250700.t9P70WSk029235@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-10-24 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #9 [6] bro-plugins J-Gras [7] 2015-10-23 AF_Packet packet source plugin [8] #8 [9] bro-plugins michalpurzynski [10] 2015-10-17 Myricom SNF v3 packet source plugin [11] #6 [12] bro-plugins jswaro [13] 2015-10-16 Adding initial conversion of TCPRS to a plugin [14] #2 [15] broctl J-Gras [16] 2015-10-21 Added plugin for custom load balancing [17] #1 [18] broctl J-Gras [19] 2015-10-24 Added support for Pcap options [20] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #9 https://github.com/bro/bro-plugins/pull/9 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #9 with git pull --no-ff --no-commit https://github.com/J-Gras/bro-plugins.git topic/jgras/af-packet [9] Pull Request #8 https://github.com/bro/bro-plugins/pull/8 [10] michalpurzynski https://github.com/michalpurzynski [11] Merge Pull Request #8 with git pull --no-ff --no-commit https://github.com/michalpurzynski/bro-plugins.git master [12] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [13] jswaro https://github.com/jswaro [14] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [15] Pull Request #2 https://github.com/bro/broctl/pull/2 [16] J-Gras https://github.com/J-Gras [17] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/lb-custom [18] Pull Request #1 https://github.com/bro/broctl/pull/1 [19] J-Gras https://github.com/J-Gras [20] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Mon Oct 26 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 26 Oct 2015 00:00:26 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510260700.t9Q70Q4J018070@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-10-24 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #9 [6] bro-plugins J-Gras [7] 2015-10-23 AF_Packet packet source plugin [8] #8 [9] bro-plugins michalpurzynski [10] 2015-10-17 Myricom SNF v3 packet source plugin [11] #6 [12] bro-plugins jswaro [13] 2015-10-16 Adding initial conversion of TCPRS to a plugin [14] #2 [15] broctl J-Gras [16] 2015-10-21 Added plugin for custom load balancing [17] #1 [18] broctl J-Gras [19] 2015-10-24 Added support for Pcap options [20] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #9 https://github.com/bro/bro-plugins/pull/9 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #9 with git pull --no-ff --no-commit https://github.com/J-Gras/bro-plugins.git topic/jgras/af-packet [9] Pull Request #8 https://github.com/bro/bro-plugins/pull/8 [10] michalpurzynski https://github.com/michalpurzynski [11] Merge Pull Request #8 with git pull --no-ff --no-commit https://github.com/michalpurzynski/bro-plugins.git master [12] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [13] jswaro https://github.com/jswaro [14] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [15] Pull Request #2 https://github.com/bro/broctl/pull/2 [16] J-Gras https://github.com/J-Gras [17] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/lb-custom [18] Pull Request #1 https://github.com/bro/broctl/pull/1 [19] J-Gras https://github.com/J-Gras [20] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Mon Oct 26 07:39:01 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Mon, 26 Oct 2015 09:39:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-672) Bring POP3 back into the distribution In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22700#comment-22700 ] Aaron Eppert commented on BIT-672: ---------------------------------- If the question is keeping POP3, but keeping it disabled, I request it stay. I can and will submit scripts for POP3 to make it appropriately viable too if that helps keep it as a protocol. > Bring POP3 back into the distribution > ------------------------------------- > > Key: BIT-672 > URL: https://bro-tracker.atlassian.net/browse/BIT-672 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Matthias Vallentin > Assignee: Seth Hall > Fix For: 2.5 > > > The current master has no longer support for POP3. It lingers around but we need to bring it back into the distribution. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 26 09:34:02 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 26 Oct 2015 11:34:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-672) Bring POP3 back into the distribution In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22701#comment-22701 ] Robin Sommer commented on BIT-672: ---------------------------------- I'd like to bring back the support for POP3, however the main concerns was not the lack of scripts (that shouldn't be too difficult) but the quality of the C++ code. The code would need either a careful review or, better, a rewrite in binpac. > Bring POP3 back into the distribution > ------------------------------------- > > Key: BIT-672 > URL: https://bro-tracker.atlassian.net/browse/BIT-672 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Matthias Vallentin > Assignee: Seth Hall > Fix For: 2.5 > > > The current master has no longer support for POP3. It lingers around but we need to bring it back into the distribution. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Mon Oct 26 10:07:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 26 Oct 2015 12:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1498) add '-q' to ssh execution in ssh_runner.py In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1498: --------------------------------- Assignee: Daniel Thayer > add '-q' to ssh execution in ssh_runner.py > ------------------------------------------ > > Key: BIT-1498 > URL: https://bro-tracker.atlassian.net/browse/BIT-1498 > Project: Bro Issue Tracker > Issue Type: Patch > Components: BroControl > Affects Versions: 2.4 > Reporter: scampbell > Assignee: Daniel Thayer > Labels: broctl > > When using broctl in an environment with login banners, they will be displayed in the broctl command. In the event that they can not be configured away on the sshd end using '-q' avoids displaying the banner on the client side. > The patch is trivial: > --- a/BroControl/ssh_runner.py > +++ b/BroControl/ssh_runner.py > @@ -108,6 +108,7 @@ class SSHMaster: > self.base_cmd = [ > "ssh", > "-o", "BatchMode=yes", > + "-q", > host, > ] > self.need_connect = True -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From james.swaro at gmail.com Mon Oct 26 16:46:08 2015 From: james.swaro at gmail.com (James Swaro) Date: Mon, 26 Oct 2015 18:46:08 -0500 Subject: [Bro-Dev] Master broken? Message-ID: https://github.com/bro/bro/commit/a83d97937e2a201065e80374138ab4222f132b36 The 'TCP_Flags.h' file appears to be missing. After fetching recent changes, my compilation fails. If I checkout the prior commit, it seems fine (other than some doc.sphinx.* unit test failures). James Swaro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20151026/a6fcd404/attachment.html From robin at icir.org Mon Oct 26 16:58:30 2015 From: robin at icir.org (Robin Sommer) Date: Mon, 26 Oct 2015 16:58:30 -0700 Subject: [Bro-Dev] Master broken? In-Reply-To: References: Message-ID: <20151026235829.GU31676@icir.org> Oh, that's missing indeed. Fix will come shortly. Thanks, Robin On Mon, Oct 26, 2015 at 18:46 -0500, you wrote: > https://github.com/bro/bro/commit/a83d97937e2a201065e80374138ab4222f132b36 > > The 'TCP_Flags.h' file appears to be missing. After fetching recent > changes, my compilation fails. If I checkout the prior commit, it seems > fine (other than some doc.sphinx.* unit test failures). > > James Swaro > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From noreply at bro.org Tue Oct 27 00:00:28 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 27 Oct 2015 00:00:28 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510270700.t9R70S8n025053@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-10-26 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #6 [6] bro-plugins jswaro [7] 2015-10-27 Adding initial conversion of TCPRS to a plugin [8] #2 [9] broctl J-Gras [10] 2015-10-21 Added plugin for custom load balancing [11] #1 [12] broctl J-Gras [13] 2015-10-24 Added support for Pcap options [14] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [7] jswaro https://github.com/jswaro [8] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [9] Pull Request #2 https://github.com/bro/broctl/pull/2 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/lb-custom [12] Pull Request #1 https://github.com/bro/broctl/pull/1 [13] J-Gras https://github.com/J-Gras [14] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Wed Oct 28 00:00:29 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 28 Oct 2015 00:00:29 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510280700.t9S70Tpk014380@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-10-26 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #6 [6] bro-plugins jswaro [7] 2015-10-27 Adding initial conversion of TCPRS to a plugin [8] #1 [9] broctl J-Gras [10] 2015-10-24 Added support for Pcap options [11] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #6 https://github.com/bro/bro-plugins/pull/6 [7] jswaro https://github.com/jswaro [8] Merge Pull Request #6 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [9] Pull Request #1 https://github.com/bro/broctl/pull/1 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Thu Oct 29 00:00:34 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 29 Oct 2015 00:00:34 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510290700.t9T70Y93020479@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-10-26 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Fri Oct 30 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 30 Oct 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510300700.t9U70Lo2003487@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-10-26 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Fri Oct 30 00:13:02 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 30 Oct 2015 02:13:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1498) add '-q' to ssh execution in ssh_runner.py In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1498: ------------------------------- Fix Version/s: 2.5 > add '-q' to ssh execution in ssh_runner.py > ------------------------------------------ > > Key: BIT-1498 > URL: https://bro-tracker.atlassian.net/browse/BIT-1498 > Project: Bro Issue Tracker > Issue Type: Patch > Components: BroControl > Affects Versions: 2.4 > Reporter: scampbell > Assignee: Daniel Thayer > Labels: broctl > Fix For: 2.5 > > > When using broctl in an environment with login banners, they will be displayed in the broctl command. In the event that they can not be configured away on the sshd end using '-q' avoids displaying the banner on the client side. > The patch is trivial: > --- a/BroControl/ssh_runner.py > +++ b/BroControl/ssh_runner.py > @@ -108,6 +108,7 @@ class SSHMaster: > self.base_cmd = [ > "ssh", > "-o", "BatchMode=yes", > + "-q", > host, > ] > self.need_connect = True -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Fri Oct 30 00:14:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 30 Oct 2015 02:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1490: ------------------------------- Fix Version/s: 2.5 > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Fri Oct 30 00:17:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 30 Oct 2015 02:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-991) Imap Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-991?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-991: ------------------------------ Resolution: Incomplete Status: Closed (was: Open) I am closing this as we do not want to merge the current version. If you / someone wants to rewrite the patch using binpac, please feel free to either re-open this bug or file a new ticket. > Imap Analyzer > ------------- > > Key: BIT-991 > URL: https://bro-tracker.atlassian.net/browse/BIT-991 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Assignee: Seth Hall > Priority: Low > Labels: Imap, analyzer > Fix For: 2.5 > > Attachments: 0001-IMAP-analyzer.patch > > > Here is an Imap Analyzer and a quick script sample. It is inspired of the POP3 Analyzer. > No problem to make some coding changes if you ask. > Nicolas -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Fri Oct 30 00:20:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 30 Oct 2015 02:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1461) Bro Mgr Scripts Fail After Threat Intel Feed Add In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1461: ------------------------------- Resolution: Incomplete Status: Closed (was: Open) I am closing this as I assume the problem to be fixed with the last comment. Please re-open, if it persists. > Bro Mgr Scripts Fail After Threat Intel Feed Add > ------------------------------------------------ > > Key: BIT-1461 > URL: https://bro-tracker.atlassian.net/browse/BIT-1461 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.5 > Reporter: Tim Jackson > Priority: Low > > Getting the following on check after inclusion of 3rd party threat intel feeds. Unsure of how to continue > manager scripts failed. > internal error: Value not found in enum mappimg. Module: Intel, var: undefined, var size: 9 > /opt/bro/share/broctl/scripts/check-config: line 28: 30661 Aborted (core dumped) ${bro} "$@" > proxy scripts are ok. > calidcbrosrv001-eth1-1 scripts are ok. > calidcbrosrv001-eth1-2 scripts are ok. > Thanks > Tim -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From jira at bro-tracker.atlassian.net Fri Oct 30 06:31:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 30 Oct 2015 08:31:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL In-Reply-To: References: Message-ID: Seth Hall created BIT-1499: ------------------------------ Summary: Updates for newer version of OpenSSL/LibreSSL Key: BIT-1499 URL: https://bro-tracker.atlassian.net/browse/BIT-1499 Project: Bro Issue Tracker Issue Type: Problem Components: Bro, Broccoli Affects Versions: git/master Reporter: Seth Hall Attachments: patch-aux_broccoli_src_bro__openssl.c, patch-src_ChunkedIO.cc A comment from Christoph Pietsch: {quote}Currently bro fails to build when openssl libraries have been built without SSLv3 (configure --no-ssl2 --nossl3). This has surfaced when building with the latest LibreSSL 2.3. Attached patches address all these issues. These can be improved upon by using only SSLv23_ methods or even TLS_ methods and setting SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've tried to make the patches minimally intrusive. OpenSSL 1.1.0 will deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote} The patches are attached. Fortunately all of this code is slated to be removed but it does introduce the question how we manage this moving forward. I'd like to avoid having to add compiler directives to use alternate implementations and detect which version of OpenSSL someone has installed. Alternately, what does everyone think about deprecating the existing communication mechanism by making it a configure-time option? We can just not compile those by default which means that almost everyone would just see everything work correctly and our effort would be minimal. People that need the existing built in communication still can deal with the complications of compiling Bro with the option and having the correct version of OpenSSL. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) From noreply at bro.org Sat Oct 31 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 31 Oct 2015 00:00:24 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201510310700.t9V70O7n002391@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-10-26 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config