From noreply at bro.org Fri Apr 1 00:00:20 2016 From: noreply at bro.org (Merge Tracker) Date: Fri, 1 Apr 2016 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604010700.u3170KWW026347@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- -------------------------------------------------------- BIT-1563 [1] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1557 [2] Broccoli Daniel Thayer - 2016-03-21 2.5 Low broccoli code examples don't compile BIT-1549 [3] BroControl Daniel Thayer Justin Azoff 2016-03-31 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1528 [4] Bro Justin Azoff - 2016-03-24 2.5 Normal SNMP and SIP scans show up in known services. BIT-1507 [5] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #64 [6] bro aeppert [7] 2016-03-31 Add disable_all_analyzers for connection shunting options [8] #63 [9] bro WilliamTom [10] 2016-03-26 Wrong regex literal in scripting doc [11] #52 [12] bro J-Gras [13] 2016-01-18 Fixed matching mail address intel [14] #22 [15] bro-plugins nickwallen [16] 2016-03-23 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [17] #18 [18] bro-plugins jshlbrd [19] 2016-03-03 SSDP analyzer [20] [1] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [2] BIT-1557 https://bro-tracker.atlassian.net/browse/BIT-1557 [3] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [4] BIT-1528 https://bro-tracker.atlassian.net/browse/BIT-1528 [5] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [6] Pull Request #64 https://github.com/bro/bro/pull/64 [7] aeppert https://github.com/aeppert [8] Merge Pull Request #64 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master [9] Pull Request #63 https://github.com/bro/bro/pull/63 [10] WilliamTom https://github.com/WilliamTom [11] Merge Pull Request #63 with git pull --no-ff --no-commit https://github.com/WilliamTom/bro.git master [12] Pull Request #52 https://github.com/bro/bro/pull/52 [13] J-Gras https://github.com/J-Gras [14] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [15] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [16] nickwallen https://github.com/nickwallen [17] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [18] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [19] jshlbrd https://github.com/jshlbrd [20] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Fri Apr 1 00:18:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 1 Apr 2016 02:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1549) broctl top command doesn't work on OS X 10.10 or newer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25308#comment-25308 ] Johanna Amann commented on BIT-1549: ------------------------------------ Would it perhaps make more sense to use rprvt on osx 10.10 and vprvt on osx < 10.10? > broctl top command doesn't work on OS X 10.10 or newer > ------------------------------------------------------ > > Key: BIT-1549 > URL: https://bro-tracker.atlassian.net/browse/BIT-1549 > Project: Bro Issue Tracker > Issue Type: Task > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > On OS X Mavericks, the broctl top command was working, but on Yosemite > (and El Capitan), it no longer works. The reason is that the > "-stats vprvt" option of the top command always prints "N/A". -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-022#72002) From jira at bro-tracker.atlassian.net Fri Apr 1 07:58:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 1 Apr 2016 09:58:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1549) broctl top command doesn't work on OS X 10.10 or newer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25310#comment-25310 ] Daniel Thayer commented on BIT-1549: ------------------------------------ On OS X 10.10, the output of "rprvt" is also just "N/A". > broctl top command doesn't work on OS X 10.10 or newer > ------------------------------------------------------ > > Key: BIT-1549 > URL: https://bro-tracker.atlassian.net/browse/BIT-1549 > Project: Bro Issue Tracker > Issue Type: Task > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > On OS X Mavericks, the broctl top command was working, but on Yosemite > (and El Capitan), it no longer works. The reason is that the > "-stats vprvt" option of the top command always prints "N/A". -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-022#72002) From noreply at bro.org Sat Apr 2 00:00:20 2016 From: noreply at bro.org (Merge Tracker) Date: Sat, 2 Apr 2016 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604020700.u3270KML027711@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- -------------------------------------------------------- BIT-1563 [1] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1557 [2] Broccoli Daniel Thayer - 2016-03-21 2.5 Low broccoli code examples don't compile BIT-1549 [3] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1528 [4] Bro Justin Azoff - 2016-03-24 2.5 Normal SNMP and SIP scans show up in known services. BIT-1507 [5] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #63 [6] bro WilliamTom [7] 2016-03-26 Wrong regex literal in scripting doc [8] #52 [9] bro J-Gras [10] 2016-01-18 Fixed matching mail address intel [11] #22 [12] bro-plugins nickwallen [13] 2016-03-23 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [14] #18 [15] bro-plugins jshlbrd [16] 2016-03-03 SSDP analyzer [17] [1] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [2] BIT-1557 https://bro-tracker.atlassian.net/browse/BIT-1557 [3] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [4] BIT-1528 https://bro-tracker.atlassian.net/browse/BIT-1528 [5] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [6] Pull Request #63 https://github.com/bro/bro/pull/63 [7] WilliamTom https://github.com/WilliamTom [8] Merge Pull Request #63 with git pull --no-ff --no-commit https://github.com/WilliamTom/bro.git master [9] Pull Request #52 https://github.com/bro/bro/pull/52 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [12] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [13] nickwallen https://github.com/nickwallen [14] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [15] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [16] jshlbrd https://github.com/jshlbrd [17] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From noreply at bro.org Sun Apr 3 00:00:19 2016 From: noreply at bro.org (Merge Tracker) Date: Sun, 3 Apr 2016 00:00:19 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604030700.u3370JUX014459@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- -------------------------------------------------------- BIT-1563 [1] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1557 [2] Broccoli Daniel Thayer - 2016-03-21 2.5 Low broccoli code examples don't compile BIT-1549 [3] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1528 [4] Bro Justin Azoff - 2016-03-24 2.5 Normal SNMP and SIP scans show up in known services. BIT-1507 [5] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #63 [6] bro WilliamTom [7] 2016-03-26 Wrong regex literal in scripting doc [8] #52 [9] bro J-Gras [10] 2016-01-18 Fixed matching mail address intel [11] #22 [12] bro-plugins nickwallen [13] 2016-04-03 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [14] #18 [15] bro-plugins jshlbrd [16] 2016-03-03 SSDP analyzer [17] [1] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [2] BIT-1557 https://bro-tracker.atlassian.net/browse/BIT-1557 [3] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [4] BIT-1528 https://bro-tracker.atlassian.net/browse/BIT-1528 [5] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [6] Pull Request #63 https://github.com/bro/bro/pull/63 [7] WilliamTom https://github.com/WilliamTom [8] Merge Pull Request #63 with git pull --no-ff --no-commit https://github.com/WilliamTom/bro.git master [9] Pull Request #52 https://github.com/bro/bro/pull/52 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [12] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [13] nickwallen https://github.com/nickwallen [14] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [15] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [16] jshlbrd https://github.com/jshlbrd [17] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From noreply at bro.org Mon Apr 4 00:00:21 2016 From: noreply at bro.org (Merge Tracker) Date: Mon, 4 Apr 2016 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604040700.u3470LHh027316@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- -------------------------------------------------------- BIT-1563 [1] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1557 [2] Broccoli Daniel Thayer - 2016-03-21 2.5 Low broccoli code examples don't compile BIT-1549 [3] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1528 [4] Bro Justin Azoff - 2016-03-24 2.5 Normal SNMP and SIP scans show up in known services. BIT-1507 [5] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #63 [6] bro WilliamTom [7] 2016-03-26 Wrong regex literal in scripting doc [8] #52 [9] bro J-Gras [10] 2016-01-18 Fixed matching mail address intel [11] #22 [12] bro-plugins nickwallen [13] 2016-04-04 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [14] #18 [15] bro-plugins jshlbrd [16] 2016-03-03 SSDP analyzer [17] [1] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [2] BIT-1557 https://bro-tracker.atlassian.net/browse/BIT-1557 [3] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [4] BIT-1528 https://bro-tracker.atlassian.net/browse/BIT-1528 [5] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [6] Pull Request #63 https://github.com/bro/bro/pull/63 [7] WilliamTom https://github.com/WilliamTom [8] Merge Pull Request #63 with git pull --no-ff --no-commit https://github.com/WilliamTom/bro.git master [9] Pull Request #52 https://github.com/bro/bro/pull/52 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [12] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [13] nickwallen https://github.com/nickwallen [14] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [15] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [16] jshlbrd https://github.com/jshlbrd [17] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jsiwek at illinois.edu Mon Apr 4 09:27:23 2016 From: jsiwek at illinois.edu (Siwek, Jon) Date: Mon, 4 Apr 2016 16:27:23 +0000 Subject: [Bro-Dev] Broker: use of broker::peering In-Reply-To: <20160401040041.GH26101@shogun> References: <20160401040041.GH26101@shogun> Message-ID: > On Mar 31, 2016, at 11:00 PM, Matthias Vallentin wrote: > > In Broker, what is the use case for having an explicit peering between > two endpoints? Would it maybe suffice to provide endpoint introspection, > i.e., the ability to iterate over an endpoint's peers? I don?t recall if there?s strong reasons to use those ?peering? objects as a way of identifying ?connection handles? instead of just having the API consume something that identifies individual peers by themselves. I think you?re safe changing it as long as a user continues to have a way to disconnect an endpoint from any one of its peers. - Jon From vallentin at icir.org Mon Apr 4 10:07:35 2016 From: vallentin at icir.org (Matthias Vallentin) Date: Mon, 4 Apr 2016 10:07:35 -0700 Subject: [Bro-Dev] Broker: use of broker::peering In-Reply-To: References: <20160401040041.GH26101@shogun> Message-ID: <20160404170735.GP26101@shogun> > I think you?re safe changing it as long as a user continues to have a > way to disconnect an endpoint from any one of its peers. Yep, that makes sense. Thanks for chiming in. Matthias From noreply at bro.org Tue Apr 5 00:00:23 2016 From: noreply at bro.org (Merge Tracker) Date: Tue, 5 Apr 2016 00:00:23 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604050700.u3570NXE010745@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- -------------------------------------------------------- BIT-1563 [1] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1557 [2] Broccoli Daniel Thayer - 2016-03-21 2.5 Low broccoli code examples don't compile BIT-1549 [3] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1528 [4] Bro Justin Azoff - 2016-03-24 2.5 Normal SNMP and SIP scans show up in known services. BIT-1507 [5] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #63 [6] bro WilliamTom [7] 2016-03-26 Wrong regex literal in scripting doc [8] #52 [9] bro J-Gras [10] 2016-01-18 Fixed matching mail address intel [11] #22 [12] bro-plugins nickwallen [13] 2016-04-04 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [14] #18 [15] bro-plugins jshlbrd [16] 2016-03-03 SSDP analyzer [17] [1] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [2] BIT-1557 https://bro-tracker.atlassian.net/browse/BIT-1557 [3] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [4] BIT-1528 https://bro-tracker.atlassian.net/browse/BIT-1528 [5] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [6] Pull Request #63 https://github.com/bro/bro/pull/63 [7] WilliamTom https://github.com/WilliamTom [8] Merge Pull Request #63 with git pull --no-ff --no-commit https://github.com/WilliamTom/bro.git master [9] Pull Request #52 https://github.com/bro/bro/pull/52 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [12] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [13] nickwallen https://github.com/nickwallen [14] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [15] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [16] jshlbrd https://github.com/jshlbrd [17] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Tue Apr 5 15:57:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 5 Apr 2016 17:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25400#comment-25400 ] Daniel Thayer commented on BIT-1510: ------------------------------------ Branch "topic/dnthayer/ticket1510" in the broctl repo changes the behavior of broctl when a node crashes during shutdown. In such a case, the node status after the "stop" command finishes will be "stopped" instead of "crashed". Also, a crash report is no longer generated in this case (however, the user will still be able to see an output message generated by the "stop" command and the user can still access the archived stdout/stderr.log files in case those are useful). > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-023#72002) From noreply at bro.org Wed Apr 6 00:00:26 2016 From: noreply at bro.org (Merge Tracker) Date: Wed, 6 Apr 2016 00:00:26 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604060700.u3670QVY026472@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- -------------------------------------------------------- BIT-1563 [1] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1557 [2] Broccoli Daniel Thayer - 2016-03-21 2.5 Low broccoli code examples don't compile BIT-1549 [3] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1528 [4] Bro Justin Azoff - 2016-03-24 2.5 Normal SNMP and SIP scans show up in known services. BIT-1507 [5] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #63 [6] bro WilliamTom [7] 2016-03-26 Wrong regex literal in scripting doc [8] #52 [9] bro J-Gras [10] 2016-01-18 Fixed matching mail address intel [11] #22 [12] bro-plugins nickwallen [13] 2016-04-04 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [14] #18 [15] bro-plugins jshlbrd [16] 2016-03-03 SSDP analyzer [17] [1] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [2] BIT-1557 https://bro-tracker.atlassian.net/browse/BIT-1557 [3] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [4] BIT-1528 https://bro-tracker.atlassian.net/browse/BIT-1528 [5] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [6] Pull Request #63 https://github.com/bro/bro/pull/63 [7] WilliamTom https://github.com/WilliamTom [8] Merge Pull Request #63 with git pull --no-ff --no-commit https://github.com/WilliamTom/bro.git master [9] Pull Request #52 https://github.com/bro/bro/pull/52 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [12] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [13] nickwallen https://github.com/nickwallen [14] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [15] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [16] jshlbrd https://github.com/jshlbrd [17] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Wed Apr 6 00:42:00 2016 From: jira at bro-tracker.atlassian.net (Scott Knick (JIRA)) Date: Wed, 6 Apr 2016 02:42:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1564) BroControl incorrectly references ok attribute of results even when None type is returned In-Reply-To: References: Message-ID: Scott Knick created BIT-1564: -------------------------------- Summary: BroControl incorrectly references ok attribute of results even when None type is returned Key: BIT-1564 URL: https://bro-tracker.atlassian.net/browse/BIT-1564 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Scott Knick Priority: Low The various do_xxxx methods in bin/broctl attempt to reference the "ok" attribute of the results object returned from the BroCtl class' corresponding method. However, these methods can return the None type which has no "ok" attribute. This results in errors like this from BroControl: {{[root at system spool]# /usr/local/bro/bin/broctl install error: Unable to do xyz in plugin Error: 'NoneType' object has no attribute 'ok'}} I discovered this when returning False from the cmd_install_pre() method of my custom BroControl plugin. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-023#72002) From jan.grashoefer at gmail.com Wed Apr 6 06:11:24 2016 From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=) Date: Wed, 6 Apr 2016 15:11:24 +0200 Subject: [Bro-Dev] Per item expiration for tables Message-ID: <57050AFC.1000609@gmail.com> Hi, I have a few things I am planning to add to the intel-framework. One of them is expiration for intelligence items. To achieve per item expiration in a table there is a little hack that is used in the notice-framework and in the new netcontrol-framework: By setting &create_expire=0 and returning the intended timeout for each item in the corresponding expire_func, one can achieve per item expiration (see e.g. scripts/base/frameworks/netcontrol/catch-and-release.bro). This approach however does not work for &read_expire and &write_expire, because accessing the item resets the expiration timeout based on the &read/write_expire attribute of the table (in this case 0) instead of the value that was previously returned by the expire_func. The following script demonstrates this effect: https://gist.github.com/J-Gras/061983dac59224a03d3bfad4476a1dd9 The straight-forward solution would be to allow each item to hold its own expiration timeout. Talking to Seth about this, we came up with two possible approaches to achieve this: 1) Use the return value of the expire_func to set this value. 2) Use a bif or language feature (e.g. expire 10sec { tbl[idx] }; ) to set this value. I would prefer the second approach, as the intention of the expire_func return value is to provide a delay for a single expiration event. This would e.g. allow to set an individual expire timeout of e.g. 1 hour for a single item. Once the expire_func is called one could set a delay of e.g. 10min. In case the item is accessed, the timeout would be reset to the originally intended 1 hour instead of 10min. What are your opinions on that? Which approach would you prefer or do you think per item expiration is a bad idea in general? Best regards, Jan From jira at bro-tracker.atlassian.net Wed Apr 6 07:52:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 6 Apr 2016 09:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1564) BroControl incorrectly references ok attribute of results even when None type is returned In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1564?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1564: ---------------------------------- Assignee: Daniel Thayer > BroControl incorrectly references ok attribute of results even when None type is returned > ----------------------------------------------------------------------------------------- > > Key: BIT-1564 > URL: https://bro-tracker.atlassian.net/browse/BIT-1564 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Scott Knick > Assignee: Daniel Thayer > Priority: Low > > The various do_xxxx methods in bin/broctl attempt to reference the "ok" attribute of the results object returned from the BroCtl class' corresponding method. However, these methods can return the None type which has no "ok" attribute. This results in errors like this from BroControl: > {{[root at system spool]# /usr/local/bro/bin/broctl install > error: Unable to do xyz in plugin > Error: 'NoneType' object has no attribute 'ok'}} > I discovered this when returning False from the cmd_install_pre() method of my custom BroControl plugin. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-023#72002) From jira at bro-tracker.atlassian.net Wed Apr 6 07:52:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 6 Apr 2016 09:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1564) BroControl incorrectly references ok attribute of results even when None type is returned In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1564?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1564: ------------------------------- Fix Version/s: 2.5 > BroControl incorrectly references ok attribute of results even when None type is returned > ----------------------------------------------------------------------------------------- > > Key: BIT-1564 > URL: https://bro-tracker.atlassian.net/browse/BIT-1564 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Scott Knick > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > > The various do_xxxx methods in bin/broctl attempt to reference the "ok" attribute of the results object returned from the BroCtl class' corresponding method. However, these methods can return the None type which has no "ok" attribute. This results in errors like this from BroControl: > {{[root at system spool]# /usr/local/bro/bin/broctl install > error: Unable to do xyz in plugin > Error: 'NoneType' object has no attribute 'ok'}} > I discovered this when returning False from the cmd_install_pre() method of my custom BroControl plugin. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-023#72002) From jira at bro-tracker.atlassian.net Wed Apr 6 15:42:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 6 Apr 2016 17:42:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1564) BroControl incorrectly references ok attribute of results even when None type is returned In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1564?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25500#comment-25500 ] Daniel Thayer commented on BIT-1564: ------------------------------------ In branch "topic/dnthayer/ticket1564" in the broctl git repo, I've fixed several commands so that the return value data type is consistent. > BroControl incorrectly references ok attribute of results even when None type is returned > ----------------------------------------------------------------------------------------- > > Key: BIT-1564 > URL: https://bro-tracker.atlassian.net/browse/BIT-1564 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Scott Knick > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > > The various do_xxxx methods in bin/broctl attempt to reference the "ok" attribute of the results object returned from the BroCtl class' corresponding method. However, these methods can return the None type which has no "ok" attribute. This results in errors like this from BroControl: > {{[root at system spool]# /usr/local/bro/bin/broctl install > error: Unable to do xyz in plugin > Error: 'NoneType' object has no attribute 'ok'}} > I discovered this when returning False from the cmd_install_pre() method of my custom BroControl plugin. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-023#72002) From jira at bro-tracker.atlassian.net Wed Apr 6 15:43:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 6 Apr 2016 17:43:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1564) BroControl incorrectly references ok attribute of results even when None type is returned In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1564?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1564: ------------------------------- Status: Merge Request (was: Open) Assignee: (was: Daniel Thayer) > BroControl incorrectly references ok attribute of results even when None type is returned > ----------------------------------------------------------------------------------------- > > Key: BIT-1564 > URL: https://bro-tracker.atlassian.net/browse/BIT-1564 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Scott Knick > Priority: Low > Fix For: 2.5 > > > The various do_xxxx methods in bin/broctl attempt to reference the "ok" attribute of the results object returned from the BroCtl class' corresponding method. However, these methods can return the None type which has no "ok" attribute. This results in errors like this from BroControl: > {{[root at system spool]# /usr/local/bro/bin/broctl install > error: Unable to do xyz in plugin > Error: 'NoneType' object has no attribute 'ok'}} > I discovered this when returning False from the cmd_install_pre() method of my custom BroControl plugin. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-023#72002) From noreply at bro.org Thu Apr 7 00:00:18 2016 From: noreply at bro.org (Merge Tracker) Date: Thu, 7 Apr 2016 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604070700.u3770IkJ030555@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1564 [1] BroControl Scott Knick - 2016-04-06 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [2] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1557 [3] Broccoli Daniel Thayer - 2016-03-21 2.5 Low broccoli code examples don't compile BIT-1549 [4] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1528 [5] Bro Justin Azoff - 2016-03-24 2.5 Normal SNMP and SIP scans show up in known services. BIT-1507 [6] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #63 [7] bro WilliamTom [8] 2016-03-26 Wrong regex literal in scripting doc [9] #52 [10] bro J-Gras [11] 2016-01-18 Fixed matching mail address intel [12] #22 [13] bro-plugins nickwallen [14] 2016-04-04 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [15] #18 [16] bro-plugins jshlbrd [17] 2016-03-03 SSDP analyzer [18] [1] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [2] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [3] BIT-1557 https://bro-tracker.atlassian.net/browse/BIT-1557 [4] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [5] BIT-1528 https://bro-tracker.atlassian.net/browse/BIT-1528 [6] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [7] Pull Request #63 https://github.com/bro/bro/pull/63 [8] WilliamTom https://github.com/WilliamTom [9] Merge Pull Request #63 with git pull --no-ff --no-commit https://github.com/WilliamTom/bro.git master [10] Pull Request #52 https://github.com/bro/bro/pull/52 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [13] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [14] nickwallen https://github.com/nickwallen [15] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [16] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [17] jshlbrd https://github.com/jshlbrd [18] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From robin at icir.org Thu Apr 7 08:58:21 2016 From: robin at icir.org (Robin Sommer) Date: Thu, 7 Apr 2016 08:58:21 -0700 Subject: [Bro-Dev] Per item expiration for tables In-Reply-To: <57050AFC.1000609@gmail.com> References: <57050AFC.1000609@gmail.com> Message-ID: <20160407155821.GE55417@icir.org> On Wed, Apr 06, 2016 at 15:11 +0200, you wrote: > What are your opinions on that? Which approach would you prefer or do > you think per item expiration is a bad idea in general? I understand the motivation but I would prefer to stick with existing mechanisms, as per item expiration times can get expensive (that would require storing an additional float for all table entries). It might also be a bit too specialized a use case to add new syntax to support it. Let me try an idea: could you limit the set if expiration times to a predefined list of choices (e.g., 10mins, 1hr, 1d, 1w, 1m)? Then you could work with a set of tables with corresponding expiration intervals. Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From jira at bro-tracker.atlassian.net Thu Apr 7 10:44:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 7 Apr 2016 12:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1510: ------------------------------- Status: Merge Request (was: Open) > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-023#72002) From jira at bro-tracker.atlassian.net Thu Apr 7 11:39:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 7 Apr 2016 13:39:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1564) BroControl incorrectly references ok attribute of results even when None type is returned In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1564?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1564: ---------------------------------- Assignee: Justin Azoff > BroControl incorrectly references ok attribute of results even when None type is returned > ----------------------------------------------------------------------------------------- > > Key: BIT-1564 > URL: https://bro-tracker.atlassian.net/browse/BIT-1564 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Scott Knick > Assignee: Justin Azoff > Priority: Low > Fix For: 2.5 > > > The various do_xxxx methods in bin/broctl attempt to reference the "ok" attribute of the results object returned from the BroCtl class' corresponding method. However, these methods can return the None type which has no "ok" attribute. This results in errors like this from BroControl: > {{[root at system spool]# /usr/local/bro/bin/broctl install > error: Unable to do xyz in plugin > Error: 'NoneType' object has no attribute 'ok'}} > I discovered this when returning False from the cmd_install_pre() method of my custom BroControl plugin. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-023#72002) From jira at bro-tracker.atlassian.net Thu Apr 7 11:40:01 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 7 Apr 2016 13:40:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1510: ---------------------------------- Assignee: Justin Azoff > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Justin Azoff > Fix For: 2.5 > > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-023#72002) From jira at bro-tracker.atlassian.net Thu Apr 7 13:32:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 7 Apr 2016 15:32:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1557) broccoli code examples don't compile In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1557: --------------------------------- Assignee: Robin Sommer > broccoli code examples don't compile > ------------------------------------ > > Key: BIT-1557 > URL: https://bro-tracker.atlassian.net/browse/BIT-1557 > Project: Bro Issue Tracker > Issue Type: Task > Components: Broccoli > Reporter: Daniel Thayer > Assignee: Robin Sommer > Priority: Low > Fix For: 2.5 > > > In the broccoli manual, there are code examples, and some of them contain > errors that prevent the code from compiling. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-023#72002) From jira at bro-tracker.atlassian.net Thu Apr 7 13:34:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 7 Apr 2016 15:34:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1528) SNMP and SIP scans show up in known services. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1528: --------------------------------- Assignee: Robin Sommer > SNMP and SIP scans show up in known services. > --------------------------------------------- > > Key: BIT-1528 > URL: https://bro-tracker.atlassian.net/browse/BIT-1528 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Robin Sommer > Fix For: 2.5 > > > It appears that single packet SIP and SNMP scans cause the destination host to end up in known_services as running a SIP or SNMP service, even though they are not running that service and did not respond to the packet. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-023#72002) From robin at icir.org Thu Apr 7 13:53:07 2016 From: robin at icir.org (Robin Sommer) Date: Thu, 7 Apr 2016 13:53:07 -0700 Subject: [Bro-Dev] Merging BIT-1563 (Re: [Auto] Merge Status) In-Reply-To: <201604070700.u3770IkJ030555@bro-ids.icir.org> References: <201604070700.u3770IkJ030555@bro-ids.icir.org> Message-ID: <20160407205307.GB88673@icir.org> On Thu, Apr 07, 2016 at 00:00 -0700, you wrote: > BIT-1563 [2] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined I think this change makes sense but it will break all Bro scripts out there that are currently using Broker. I think it's still ok to do such breaking changes for Broker now, but before going ahead and merge, I wanted to ask if anybody believes that's not a good idea? Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From noreply at bro.org Fri Apr 8 00:00:24 2016 From: noreply at bro.org (Merge Tracker) Date: Fri, 8 Apr 2016 00:00:24 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604080700.u3870Oi9024345@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1564 [1] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [2] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1557 [3] Broccoli Daniel Thayer Robin Sommer 2016-04-07 2.5 Low broccoli code examples don't compile BIT-1549 [4] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1528 [5] Bro Justin Azoff Robin Sommer 2016-04-07 2.5 Normal SNMP and SIP scans show up in known services. BIT-1510 [6] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [7] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #63 [8] bro WilliamTom [9] 2016-04-07 Wrong regex literal in scripting doc [10] #52 [11] bro J-Gras [12] 2016-04-07 Fixed matching mail address intel [13] #22 [14] bro-plugins nickwallen [15] 2016-04-08 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [16] #18 [17] bro-plugins jshlbrd [18] 2016-03-03 SSDP analyzer [19] [1] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [2] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [3] BIT-1557 https://bro-tracker.atlassian.net/browse/BIT-1557 [4] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [5] BIT-1528 https://bro-tracker.atlassian.net/browse/BIT-1528 [6] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [7] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [8] Pull Request #63 https://github.com/bro/bro/pull/63 [9] WilliamTom https://github.com/WilliamTom [10] Merge Pull Request #63 with git pull --no-ff --no-commit https://github.com/WilliamTom/bro.git master [11] Pull Request #52 https://github.com/bro/bro/pull/52 [12] J-Gras https://github.com/J-Gras [13] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [14] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [15] nickwallen https://github.com/nickwallen [16] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [17] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [18] jshlbrd https://github.com/jshlbrd [19] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Fri Apr 8 11:44:00 2016 From: jira at bro-tracker.atlassian.net (Doris Schioberg (JIRA)) Date: Fri, 8 Apr 2016 13:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1565) I added a sentence to the for-statement docu to warn about iterating over un-sorted lists In-Reply-To: References: Message-ID: Doris Schioberg created BIT-1565: ------------------------------------ Summary: I added a sentence to the for-statement docu to warn about iterating over un-sorted lists Key: BIT-1565 URL: https://bro-tracker.atlassian.net/browse/BIT-1565 Project: Bro Issue Tracker Issue Type: Improvement Components: Documentation Affects Versions: git/master Reporter: Doris Schioberg Priority: Low Attachments: 0001-Adding-a-sentence-to-the-for-loop-doc-that-warns-abo.patch I added a sentence to the for-statement docu to warn about iterating over un-sorted lists. For most people this might be obvious but might help some. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Fri Apr 8 12:45:01 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Fri, 8 Apr 2016 14:45:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1506: ------------------------------ Status: Reopened (was: Closed) Resolution: (was: Merged) > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Robin Sommer > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Fri Apr 8 12:58:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Fri, 8 Apr 2016 14:58:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25600#comment-25600 ] Adam Slagell commented on BIT-1506: ----------------------------------- I still see three issues: * that we lack instructions on how to get 2.4.x to work on 10.11 * git-master still does not work out-of-the-box * configure option --with-openssl=PATH does not work completely. If someone comes up with simple instructions for getting 2.4.x to work on El Capitan, I will test them. Using the "--with-openssl" configure option does not set the path correctly for everything. I found that git-master will build if you export the correct path as below for home brew. export PKG_CONFIG_PATH=$(brew --prefix)/opt/openssl/lib/pkgconfig But we should try to make it detect automatically for common Mac packaging solutions like MacPorts and Homebrew. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Robin Sommer > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Fri Apr 8 13:30:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 8 Apr 2016 15:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1528) SNMP and SIP scans show up in known services. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1528: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > SNMP and SIP scans show up in known services. > --------------------------------------------- > > Key: BIT-1528 > URL: https://bro-tracker.atlassian.net/browse/BIT-1528 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Robin Sommer > Fix For: 2.5 > > > It appears that single packet SIP and SNMP scans cause the destination host to end up in known_services as running a SIP or SNMP service, even though they are not running that service and did not respond to the packet. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Fri Apr 8 13:30:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 8 Apr 2016 15:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1557) broccoli code examples don't compile In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1557: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > broccoli code examples don't compile > ------------------------------------ > > Key: BIT-1557 > URL: https://bro-tracker.atlassian.net/browse/BIT-1557 > Project: Bro Issue Tracker > Issue Type: Task > Components: Broccoli > Reporter: Daniel Thayer > Assignee: Robin Sommer > Priority: Low > Fix For: 2.5 > > > In the broccoli manual, there are code examples, and some of them contain > errors that prevent the code from compiling. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Fri Apr 8 13:52:00 2016 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Fri, 8 Apr 2016 15:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25601#comment-25601 ] Vlad Grigorescu commented on BIT-1506: -------------------------------------- Seth said that he uses MacPorts, so it's possible that we optimized for that and not HomeBrew. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Robin Sommer > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From noreply at bro.org Sat Apr 9 00:00:17 2016 From: noreply at bro.org (Merge Tracker) Date: Sat, 9 Apr 2016 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604090700.u3970HvE002509@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1564 [1] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [2] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [3] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [4] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [5] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [6] bro J-Gras [7] 2016-04-07 Fixed matching mail address intel [8] #22 [9] bro-plugins nickwallen [10] 2016-04-08 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [11] #18 [12] bro-plugins jshlbrd [13] 2016-03-03 SSDP analyzer [14] [1] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [2] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [3] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [4] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [5] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [6] Pull Request #52 https://github.com/bro/bro/pull/52 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [9] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [10] nickwallen https://github.com/nickwallen [11] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [12] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [13] jshlbrd https://github.com/jshlbrd [14] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From noreply at bro.org Sun Apr 10 00:00:17 2016 From: noreply at bro.org (Merge Tracker) Date: Sun, 10 Apr 2016 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604100700.u3A70HRX025644@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1564 [1] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [2] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [3] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [4] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [5] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [6] bro J-Gras [7] 2016-04-07 Fixed matching mail address intel [8] #22 [9] bro-plugins nickwallen [10] 2016-04-08 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [11] #18 [12] bro-plugins jshlbrd [13] 2016-03-03 SSDP analyzer [14] [1] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [2] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [3] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [4] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [5] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [6] Pull Request #52 https://github.com/bro/bro/pull/52 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [9] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [10] nickwallen https://github.com/nickwallen [11] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [12] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [13] jshlbrd https://github.com/jshlbrd [14] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Sun Apr 10 13:08:00 2016 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Sun, 10 Apr 2016 15:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25602#comment-25602 ] Jon Siwek commented on BIT-1506: -------------------------------- For Homebrew, `./configure --with-openssl=/usr/local/opt/openssl` works for me, so I don't think there's a problem w/ the --with-openssl option. What was the exact command you tried, Adam? Homebrew has OpenSSL as a keg-only formula -- they install it a non-standard location to make it less likely to cause conflict w/ the system OpenSSL. At least that was the idea when OS X provided its own OpenSSL. I'm not sure if Homebrew plans to eventually remove the keg-only status of their formula in light of Apple's complete removal of OpenSSLl. A user can probably also force Homebrew to link it into its standard prefix location via `brew link --force openssl`, but that's probably not something to generally recommend. If you're going for the "it just works" feeling, consider merging "topic/jsiwek/homebrew-openssl" in the "cmake" repo. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Robin Sommer > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Sun Apr 10 13:15:00 2016 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Sun, 10 Apr 2016 15:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1506: --------------------------- Status: Merge Request (was: Reopened) Assignee: (was: Robin Sommer) > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Sun Apr 10 13:20:00 2016 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Sun, 10 Apr 2016 15:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25603#comment-25603 ] Jon Siwek commented on BIT-1506: -------------------------------- To be more clear, that branch I mentioned makes it so you don't need to even specify "--with-openssl=" when using homebrew. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Sun Apr 10 14:14:00 2016 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Sun, 10 Apr 2016 16:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25604#comment-25604 ] Matthias Vallentin commented on BIT-1506: ----------------------------------------- This looks like the right way to search for OpenSSL under Homebrew. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Sun Apr 10 14:36:01 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Apr 2016 16:36:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25605#comment-25605 ] Adam Slagell commented on BIT-1506: ----------------------------------- Hah. I tried a few. 417 ./configure --with-openssl=/usr/local 474 ./configure --with-openssl=/usr/local/include/ 479 ./configure --with-openssl=/usr/local/etc 480 ./configure --with-openssl=/usr/local/ 484 ./configure --with-openssl=/usr/local/lib/ 488 ./configure --with-openssl=/usr/local/Cellar/ 492 ./configure --with-openssl=/usr/local/Cellar/openssl/ Of course the path you specified worked. Can someone put a note on the webpage with the fix for Homebrew users. Probably here. https://www.bro.org/sphinx/install/install.html > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From vlad at grigorescu.org Sun Apr 10 14:56:19 2016 From: vlad at grigorescu.org (Vlad Grigorescu) Date: Sun, 10 Apr 2016 16:56:19 -0500 Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: I extended Jon's fix a bit in topic/vladg/homebrew-openssl. It uses brew --prefix to get Homebrew's installation prefix, which seems to be the recommended approach. I also confirmed that Jon's fix works for me on El Capitan, with Homebrew (works in the sense that I don't need to pass any command-line arguments to configure). --Vlad On Sun, Apr 10, 2016 at 4:36 PM, Adam Slagell (JIRA) < jira at bro-tracker.atlassian.net> wrote: > > [ > https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25605#comment-25605 > ] > > Adam Slagell commented on BIT-1506: > ----------------------------------- > > Hah. I tried a few. > > 417 ./configure --with-openssl=/usr/local > 474 ./configure --with-openssl=/usr/local/include/ > 479 ./configure --with-openssl=/usr/local/etc > 480 ./configure --with-openssl=/usr/local/ > 484 ./configure --with-openssl=/usr/local/lib/ > 488 ./configure --with-openssl=/usr/local/Cellar/ > 492 ./configure --with-openssl=/usr/local/Cellar/openssl/ > > Of course the path you specified worked. > > Can someone put a note on the webpage with the fix for Homebrew users. > Probably here. > > https://www.bro.org/sphinx/install/install.html > > > > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header > removal > > > --------------------------------------------------------------------------- > > > > Key: BIT-1506 > > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > > Project: Bro Issue Tracker > > Issue Type: Problem > > Components: Bro > > Affects Versions: 2.4 > > Reporter: Vlad Grigorescu > > Fix For: 2.5 > > > > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > > that we either include a copy of OpenSSL ourselves or we use their > > Secure Transport API. > > [1] - < > https://lists.apple.com/archives/macnetworkprog/2015/Jun/msg00025.html> > > > > -- > This message was sent by Atlassian JIRA > (v7.2.0-OD-05-030#72002) > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160410/a654c10e/attachment-0001.html From noreply at bro.org Mon Apr 11 00:00:18 2016 From: noreply at bro.org (Merge Tracker) Date: Mon, 11 Apr 2016 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604110700.u3B70IJC011841@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1564 [1] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [2] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [3] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [4] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [5] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1506 [6] Bro Vlad Grigorescu - 2016-04-10 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [7] bro J-Gras [8] 2016-04-07 Fixed matching mail address intel [9] #22 [10] bro-plugins nickwallen [11] 2016-04-08 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [12] #18 [13] bro-plugins jshlbrd [14] 2016-03-03 SSDP analyzer [15] [1] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [2] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [3] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [4] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [5] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [6] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [7] Pull Request #52 https://github.com/bro/bro/pull/52 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [10] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [11] nickwallen https://github.com/nickwallen [12] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [13] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [14] jshlbrd https://github.com/jshlbrd [15] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Mon Apr 11 03:02:00 2016 From: jira at bro-tracker.atlassian.net (Martin van Hensbergen (JIRA)) Date: Mon, 11 Apr 2016 05:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1566) RFB (VNC) protocol analyzer In-Reply-To: References: Message-ID: Martin van Hensbergen created BIT-1566: ------------------------------------------ Summary: RFB (VNC) protocol analyzer Key: BIT-1566 URL: https://bro-tracker.atlassian.net/browse/BIT-1566 Project: Bro Issue Tracker Issue Type: Patch Components: BinPAC, Bro Reporter: Martin van Hensbergen We have created a RFB protocol analyzer used for example by VNC. It contains a binpac analyzer, bro script and two testcases. Can be found here: https://github.com/martinvanhensbergen/bro/tree/topic/fox/rfb 000540645dfc406074d2a2098418711348b98079 -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 11 06:53:01 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 11 Apr 2016 08:53:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1566) RFB (VNC) protocol analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1566: ------------------------------- Fix Version/s: 2.5 > RFB (VNC) protocol analyzer > --------------------------- > > Key: BIT-1566 > URL: https://bro-tracker.atlassian.net/browse/BIT-1566 > Project: Bro Issue Tracker > Issue Type: Patch > Components: BinPAC, Bro > Reporter: Martin van Hensbergen > Labels: analyzer > Fix For: 2.5 > > > We have created a RFB protocol analyzer used for example by VNC. It contains a binpac analyzer, bro script and two testcases. > Can be found here: > https://github.com/martinvanhensbergen/bro/tree/topic/fox/rfb > 000540645dfc406074d2a2098418711348b98079 -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 11 06:53:01 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 11 Apr 2016 08:53:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1566) RFB (VNC) protocol analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1566: ------------------------------- Status: Merge Request (was: Open) > RFB (VNC) protocol analyzer > --------------------------- > > Key: BIT-1566 > URL: https://bro-tracker.atlassian.net/browse/BIT-1566 > Project: Bro Issue Tracker > Issue Type: Patch > Components: BinPAC, Bro > Reporter: Martin van Hensbergen > Labels: analyzer > Fix For: 2.5 > > > We have created a RFB protocol analyzer used for example by VNC. It contains a binpac analyzer, bro script and two testcases. > Can be found here: > https://github.com/martinvanhensbergen/bro/tree/topic/fox/rfb > 000540645dfc406074d2a2098418711348b98079 -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 11 06:54:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 11 Apr 2016 08:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1567) Please merge topic/johanna/intel-cert-hash In-Reply-To: References: Message-ID: Johanna Amann created BIT-1567: ---------------------------------- Summary: Please merge topic/johanna/intel-cert-hash Key: BIT-1567 URL: https://bro-tracker.atlassian.net/browse/BIT-1567 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master, 2.4 Reporter: Johanna Amann Fix For: 2.5 Please merge topic/johanna/intel-cert-hash; this patch makes it so that the indicator type INTEL::CERT_HASH actually matches against certificate hashes -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 11 06:54:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 11 Apr 2016 08:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1567) Please merge topic/johanna/intel-cert-hash In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1567: ------------------------------- Status: Merge Request (was: Open) > Please merge topic/johanna/intel-cert-hash > ------------------------------------------ > > Key: BIT-1567 > URL: https://bro-tracker.atlassian.net/browse/BIT-1567 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.4 > Reporter: Johanna Amann > Fix For: 2.5 > > > Please merge topic/johanna/intel-cert-hash; this patch makes it so that the indicator type INTEL::CERT_HASH actually matches against certificate hashes -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 11 06:54:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 11 Apr 2016 08:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1566) RFB (VNC) protocol analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall reassigned BIT-1566: ------------------------------ Assignee: Seth Hall > RFB (VNC) protocol analyzer > --------------------------- > > Key: BIT-1566 > URL: https://bro-tracker.atlassian.net/browse/BIT-1566 > Project: Bro Issue Tracker > Issue Type: Patch > Components: BinPAC, Bro > Reporter: Martin van Hensbergen > Assignee: Seth Hall > Labels: analyzer > Fix For: 2.5 > > > We have created a RFB protocol analyzer used for example by VNC. It contains a binpac analyzer, bro script and two testcases. > Can be found here: > https://github.com/martinvanhensbergen/bro/tree/topic/fox/rfb > 000540645dfc406074d2a2098418711348b98079 -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 11 07:16:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 11 Apr 2016 09:16:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1568) Add rtt field to dns.log In-Reply-To: References: Message-ID: Seth Hall created BIT-1568: ------------------------------ Summary: Add rtt field to dns.log Key: BIT-1568 URL: https://bro-tracker.atlassian.net/browse/BIT-1568 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.5 Reporter: Seth Hall We should add a round trip time field to dns.log. This makes it much easier to discover misbehaving or poorly performing DNS servers. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 11 07:27:01 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Mon, 11 Apr 2016 09:27:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25700#comment-25700 ] Adam Slagell commented on BIT-1506: ----------------------------------- The installation instructions are in the Bro Manual though, and hence an update will only affect the development version and not the version people are likely to visit if they are using 2.4.x, right? Is there a way we can update the release version of the bro manual without making a new release? Or should we put a note somewhere else about the 2.4.x + Mac OS 10.11 + Homebrew problem? > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 11 08:14:02 2016 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Mon, 11 Apr 2016 10:14:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25701#comment-25701 ] Matthias Vallentin commented on BIT-1506: ----------------------------------------- Right, ideally we avoid a new release, because it's not really a Bro bug. In my opinion, it suffices to update the 2.4.1 manual and mention how to use `--with-openssl` with Homebrew and El Capitan. Jon & Vlad have already fixed the issue for the next release. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 11 09:24:01 2016 From: jira at bro-tracker.atlassian.net (Jon Schipp (JIRA)) Date: Mon, 11 Apr 2016 11:24:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-274) Finding lines where redefs occurred In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25702#comment-25702 ] Jon Schipp commented on BIT-274: -------------------------------- [~seth] Is this something that's still applicable? > Finding lines where redefs occurred > ----------------------------------- > > Key: BIT-274 > URL: https://bro-tracker.atlassian.net/browse/BIT-274 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 1.5.1 > Reporter: Seth Hall > Assignee: Jon Schipp > > First, support would need added to Bro for finding all of the lines and scripts where redef's against a certain variable occurred. I would also like to see this support added through broctl. > Here's the scenario... > {noformat} > [BroControl] > find redef ignore_checksums > /usr/local/bro/share/bro/bro.init:360 const ignore_checksums = F &redef; > /usr/local/bro/share/bro/site/local.bro:133 redef ignore_checksums = T; > {noformat} > This is relating to a discussion I had about trouble people have with starting with Bro and the gotcha's encountered from enabling the cluster support. There are so many redef's happening and potentially without the user realizing it. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 11 09:26:00 2016 From: jira at bro-tracker.atlassian.net (Jon Schipp (JIRA)) Date: Mon, 11 Apr 2016 11:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1560) BroControl unhappy when host dies during shutdown In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Schipp reassigned BIT-1560: ------------------------------- Assignee: Jon Schipp > BroControl unhappy when host dies during shutdown > ------------------------------------------------- > > Key: BIT-1560 > URL: https://bro-tracker.atlassian.net/browse/BIT-1560 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Jon Schipp > Fix For: 2.5 > > > BroControl currently seems to get rather unhappy if a node crashes while Bro is being shut down. The output is something along these lines (it retries quite a few times and takes a while): > {code} > Error: failed to send stop signal to worker-19-1 > Error: failed to send stop signal to worker-19-2 > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.69 port 22: Connection refused > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.83 port 22: Host is down > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.83 port 22: Host is down > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.83 port 22: Host is down > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.83 port 22: Host is down > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.83 port 22: Host is down > ssh: connect to host 10.0.1.83 port 22: Host is down > ... > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > Error: 'str' object has no attribute 'type' > [BroControl] > > {code} -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From asharma at lbl.gov Mon Apr 11 09:28:50 2016 From: asharma at lbl.gov (Aashish Sharma) Date: Mon, 11 Apr 2016 09:28:50 -0700 Subject: [Bro-Dev] cluster communication best practice? Message-ID: <20160411162846.GD45490@mac.local> I am in process of clusterizing a bunch of scripts and using worker2manager and manager2worker events for doing so. This seem to be working *quite fantastic* actually and I see 1-to-1 mapping on data moving around. I still don't quite understand how the communication happens in background (can someone elaborate or point me to where should I be looking ) While I am using local caches and not sending data if already sent around, I know still the number of events has increased significantly. I am wondering if in background proxy/workers/manager/workers keep a persistent connection over which bytes just move (so doesn't quite matter how many times we move the data ) or am I in danger of overloading proxies at some point with this communication ? Would increase in number of proxies help ? for an example test case I am trying synchronizing bloomfilter (populating with IPs based on outgoing SF seen) across workers using this technique. Right now I don't see significant increase in CPU or memory perse doing this but porting old-scan detection to cluster is next on to-do list and I want to make sure I don't cause proxies to explode. Thanks, Aashish From jira at bro-tracker.atlassian.net Mon Apr 11 09:56:00 2016 From: jira at bro-tracker.atlassian.net (Jon Schipp (JIRA)) Date: Mon, 11 Apr 2016 11:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1569) Bro cluster in containers for testing In-Reply-To: References: Message-ID: Jon Schipp created BIT-1569: ------------------------------- Summary: Bro cluster in containers for testing Key: BIT-1569 URL: https://bro-tracker.atlassian.net/browse/BIT-1569 Project: Bro Issue Tracker Issue Type: Task Components: BTest Reporter: Jon Schipp Assignee: Jon Schipp Priority: Low I want to get a bro cluster running in containers with a scalable configuration for testing. Something like ./test --workers 4 --proxies 2 would be really nice. VM's take too much disk space and make my machine slow when testing things with my Vagrant cluster that uses VirtualBox. This doesn't belong in BTest but I was not able find a suitable component. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jan.grashoefer at gmail.com Mon Apr 11 14:05:41 2016 From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=) Date: Mon, 11 Apr 2016 23:05:41 +0200 Subject: [Bro-Dev] Per item expiration for tables In-Reply-To: <20160407155821.GE55417@icir.org> References: <57050AFC.1000609@gmail.com> <20160407155821.GE55417@icir.org> Message-ID: <570C11A5.7070602@gmail.com> Hi Robin, > I understand the motivation but I would prefer to stick with existing > mechanisms, as per item expiration times can get expensive (that would > require storing an additional float for all table entries). It might > also be a bit too specialized a use case to add new syntax to support > it. While I think adding a float for table entries would not be too expensive (considering the common dimensions of Bro-deployments), I can follow that this is an edge case, which might not justify to introduce new bifs or even syntax support. > Let me try an idea: could you limit the set if expiration times to a > predefined list of choices (e.g., 10mins, 1hr, 1d, 1w, 1m)? Then you > could work with a set of tables with corresponding expiration > intervals. I am not sure I get that right. Wouldn't that require a lot of duplicate code (at least for the table declarations)? My alternative would be to implement a (configurable) timeout and allow timeout values that are multiples of this value. Another approach could be to allow any timeout values, use a single table timeout for "garbage collection" of expired entries and check validity on every match. But I think the last approach would introduce significant overhead. Best regards, Jan From noreply at bro.org Tue Apr 12 00:00:20 2016 From: noreply at bro.org (Merge Tracker) Date: Tue, 12 Apr 2016 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604120700.u3C70K0b028906@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1567 [1] Bro Johanna Amann - 2016-04-11 2.5 Normal Please merge topic/johanna/intel-cert-hash BIT-1566 [2] BinPAC,Bro Martin van Hensbergen Seth Hall 2016-04-11 2.5 Normal RFB (VNC) protocol analyzer BIT-1564 [3] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [4] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [5] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [6] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [7] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1506 [8] Bro Vlad Grigorescu - 2016-04-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [9] bro J-Gras [10] 2016-04-07 Fixed matching mail address intel [11] #22 [12] bro-plugins nickwallen [13] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [14] #18 [15] bro-plugins jshlbrd [16] 2016-03-03 SSDP analyzer [17] [1] BIT-1567 https://bro-tracker.atlassian.net/browse/BIT-1567 [2] BIT-1566 https://bro-tracker.atlassian.net/browse/BIT-1566 [3] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [4] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [5] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [6] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [7] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [8] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [9] Pull Request #52 https://github.com/bro/bro/pull/52 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [12] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [13] nickwallen https://github.com/nickwallen [14] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [15] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [16] jshlbrd https://github.com/jshlbrd [17] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Tue Apr 12 13:44:02 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 12 Apr 2016 15:44:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1565) I added a sentence to the for-statement docu to warn about iterating over un-sorted lists In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25703#comment-25703 ] Daniel Thayer commented on BIT-1565: ------------------------------------ I've improved documentation of the "for" loop in the git branch "topic/dnthayer/doc-improvements". > I added a sentence to the for-statement docu to warn about iterating over un-sorted lists > ----------------------------------------------------------------------------------------- > > Key: BIT-1565 > URL: https://bro-tracker.atlassian.net/browse/BIT-1565 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Documentation > Affects Versions: git/master > Reporter: Doris Schioberg > Priority: Low > Labels: documentation > Attachments: 0001-Adding-a-sentence-to-the-for-loop-doc-that-warns-abo.patch > > > I added a sentence to the for-statement docu to warn about iterating over un-sorted lists. > For most people this might be obvious but might help some. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Tue Apr 12 13:45:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 12 Apr 2016 15:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1565) I added a sentence to the for-statement docu to warn about iterating over un-sorted lists In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1565?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1565: ------------------------------- Resolution: Duplicate Status: Closed (was: Open) Duplicate of BIT-1520. > I added a sentence to the for-statement docu to warn about iterating over un-sorted lists > ----------------------------------------------------------------------------------------- > > Key: BIT-1565 > URL: https://bro-tracker.atlassian.net/browse/BIT-1565 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Documentation > Affects Versions: git/master > Reporter: Doris Schioberg > Priority: Low > Labels: documentation > Attachments: 0001-Adding-a-sentence-to-the-for-loop-doc-that-warns-abo.patch > > > I added a sentence to the for-statement docu to warn about iterating over un-sorted lists. > For most people this might be obvious but might help some. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Tue Apr 12 14:03:02 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Tue, 12 Apr 2016 16:03:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1566) RFB (VNC) protocol analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1566: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Merged with commit 9d0899325a6a4391764cc541f4c41b4353ff79e6. Thanks Martin! > RFB (VNC) protocol analyzer > --------------------------- > > Key: BIT-1566 > URL: https://bro-tracker.atlassian.net/browse/BIT-1566 > Project: Bro Issue Tracker > Issue Type: Patch > Components: BinPAC, Bro > Reporter: Martin van Hensbergen > Assignee: Seth Hall > Labels: analyzer > Fix For: 2.5 > > > We have created a RFB protocol analyzer used for example by VNC. It contains a binpac analyzer, bro script and two testcases. > Can be found here: > https://github.com/martinvanhensbergen/bro/tree/topic/fox/rfb > 000540645dfc406074d2a2098418711348b98079 -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From noreply at bro.org Wed Apr 13 00:00:41 2016 From: noreply at bro.org (Merge Tracker) Date: Wed, 13 Apr 2016 00:00:41 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604130700.u3D70fCS029516@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1567 [1] Bro Johanna Amann - 2016-04-11 2.5 Normal Please merge topic/johanna/intel-cert-hash BIT-1564 [2] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [3] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [4] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [5] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [6] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1506 [7] Bro Vlad Grigorescu - 2016-04-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [8] bro J-Gras [9] 2016-04-07 Fixed matching mail address intel [10] #22 [11] bro-plugins nickwallen [12] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [13] #18 [14] bro-plugins jshlbrd [15] 2016-03-03 SSDP analyzer [16] [1] BIT-1567 https://bro-tracker.atlassian.net/browse/BIT-1567 [2] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [3] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [4] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [5] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [6] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [7] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [8] Pull Request #52 https://github.com/bro/bro/pull/52 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [11] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [12] nickwallen https://github.com/nickwallen [13] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [14] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [15] jshlbrd https://github.com/jshlbrd [16] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From robin at icir.org Wed Apr 13 08:23:25 2016 From: robin at icir.org (Robin Sommer) Date: Wed, 13 Apr 2016 08:23:25 -0700 Subject: [Bro-Dev] Test suite failures Message-ID: <20160413152325.GB27702@icir.org> Huh, what's up with that all that Jenkins output? Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From dnthayer at illinois.edu Wed Apr 13 09:24:38 2016 From: dnthayer at illinois.edu (Thayer, Daniel N) Date: Wed, 13 Apr 2016 16:24:38 +0000 Subject: [Bro-Dev] Test suite failures In-Reply-To: <20160413152325.GB27702@icir.org> References: <20160413152325.GB27702@icir.org> Message-ID: <8F865DA62E66F543B6104A2835719CF939135FC7@CITESMBX5.ad.uillinois.edu> Some of the failures appear to be from the RFB analyzer commits from yesterday that now prevent Bro from building on FreeBSD 10. ________________________________________ From: bro-dev-bounces at bro.org [bro-dev-bounces at bro.org] on behalf of Robin Sommer [robin at icir.org] Sent: Wednesday, April 13, 2016 10:23 AM To: bro-dev at bro.org Subject: [Bro-Dev] Test suite failures Huh, what's up with that all that Jenkins output? Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin _______________________________________________ bro-dev mailing list bro-dev at bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev From seth at icir.org Wed Apr 13 13:32:29 2016 From: seth at icir.org (Seth Hall) Date: Wed, 13 Apr 2016 16:32:29 -0400 Subject: [Bro-Dev] Test suite failures In-Reply-To: <8F865DA62E66F543B6104A2835719CF939135FC7@CITESMBX5.ad.uillinois.edu> References: <20160413152325.GB27702@icir.org> <8F865DA62E66F543B6104A2835719CF939135FC7@CITESMBX5.ad.uillinois.edu> Message-ID: <3ED977DF-F194-4789-92FC-4A78960387B8@icir.org> > On Apr 13, 2016, at 12:24 PM, Thayer, Daniel N wrote: > > Some of the failures appear to be from the RFB analyzer commits from yesterday that > now prevent Bro from building on FreeBSD 10. I'm just about done with the fix for that! :) It was a macro expansion name conflict. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From seth at icir.org Wed Apr 13 13:53:47 2016 From: seth at icir.org (Seth Hall) Date: Wed, 13 Apr 2016 16:53:47 -0400 Subject: [Bro-Dev] Test suite failures In-Reply-To: <3ED977DF-F194-4789-92FC-4A78960387B8@icir.org> References: <20160413152325.GB27702@icir.org> <8F865DA62E66F543B6104A2835719CF939135FC7@CITESMBX5.ad.uillinois.edu> <3ED977DF-F194-4789-92FC-4A78960387B8@icir.org> Message-ID: > On Apr 13, 2016, at 4:32 PM, Seth Hall wrote: > > It was a macro expansion name conflict. Oops! Now I noticed that you committed into fast path! We did the same fix at least. I suppose we should revert your change out of fast path now. I'll take care of that. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jira at bro-tracker.atlassian.net Wed Apr 13 14:27:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 13 Apr 2016 16:27:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1509) Library search problem with make-rpm-packages In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25706#comment-25706 ] Daniel Thayer commented on BIT-1509: ------------------------------------ I tried building the rpm for Bro 2.4.1, and here's where broccoli gets installed: /opt/bro/lib/broctl/_broccoli_intern.so /opt/bro/lib/broctl/broccoli.py /opt/bro/lib/broctl/broccoli_intern.py /opt/bro/lib/libbroccoli.a /opt/bro/lib/libbroccoli.so /opt/bro/lib/libbroccoli.so.5 /opt/bro/lib/libbroccoli.so.5.1.0 This matches the results I get when I just build and install Bro with ./configure, make, and make install (replacing /opt/bro with whatever PREFIX is used). > Library search problem with make-rpm-packages > --------------------------------------------- > > Key: BIT-1509 > URL: https://bro-tracker.atlassian.net/browse/BIT-1509 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Robin Sommer > Fix For: 2.5 > > > The "full Bro" RPM that make-rpm-packages builds, puts broccoli.so into /opt/bro/lib, but doesn't make sure that BroControl can actually find it there, letting the "import broccoli" fail. It sounds like this used to work in 2.3, but not anymore in 2.4. > I don't know if we want to support the RPM script going forward, given that we've switched to the SuSE build service. But as long as we keep shipping it, it would be nice if it "just worked". -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From noreply at bro.org Thu Apr 14 00:00:19 2016 From: noreply at bro.org (Merge Tracker) Date: Thu, 14 Apr 2016 00:00:19 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604140700.u3E70JNl008545@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1567 [1] Bro Johanna Amann - 2016-04-11 2.5 Normal Please merge topic/johanna/intel-cert-hash BIT-1564 [2] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [3] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [4] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [5] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [6] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1506 [7] Bro Vlad Grigorescu - 2016-04-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [8] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [9] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [10] bro J-Gras [11] 2016-04-07 Fixed matching mail address intel [12] #22 [13] bro-plugins nickwallen [14] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [15] #18 [16] bro-plugins jshlbrd [17] 2016-03-03 SSDP analyzer [18] [1] BIT-1567 https://bro-tracker.atlassian.net/browse/BIT-1567 [2] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [3] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [4] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [5] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [6] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [7] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [8] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [9] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [10] Pull Request #52 https://github.com/bro/bro/pull/52 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [13] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [14] nickwallen https://github.com/nickwallen [15] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [16] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [17] jshlbrd https://github.com/jshlbrd [18] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From robin at icir.org Thu Apr 14 11:52:19 2016 From: robin at icir.org (Robin Sommer) Date: Thu, 14 Apr 2016 11:52:19 -0700 Subject: [Bro-Dev] Timing regression? Message-ID: <20160414185219.GP64671@icir.org> I just ran the external testsuite for current master on my development system, and I'm seeing some quite increased execution times: [ 50%] tests.short ... failed (+3.4%) [ 75%] tests.medium ... failed (+1.5%) [ 28%] tests.m57-short ... failed (+4.6%) [ 71%] tests.ipv6 ... failed (+39.8%) [ 85%] tests.m57-long ... failed (+9.8%) The short tests are prone to fluctuate in timing, but the increases for ipv6 and m57-long are sticking out. Any ideas what could be causing this? Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From noreply at bro.org Fri Apr 15 00:00:22 2016 From: noreply at bro.org (Merge Tracker) Date: Fri, 15 Apr 2016 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604150700.u3F70MNI022804@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1567 [1] Bro Johanna Amann - 2016-04-11 2.5 Normal Please merge topic/johanna/intel-cert-hash BIT-1564 [2] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [3] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [4] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [5] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [6] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1506 [7] Bro Vlad Grigorescu - 2016-04-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [8] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [9] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [10] bro J-Gras [11] 2016-04-07 Fixed matching mail address intel [12] #22 [13] bro-plugins nickwallen [14] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [15] #18 [16] bro-plugins jshlbrd [17] 2016-03-03 SSDP analyzer [18] [1] BIT-1567 https://bro-tracker.atlassian.net/browse/BIT-1567 [2] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [3] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [4] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [5] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [6] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [7] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [8] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [9] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [10] Pull Request #52 https://github.com/bro/bro/pull/52 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [13] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [14] nickwallen https://github.com/nickwallen [15] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [16] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [17] jshlbrd https://github.com/jshlbrd [18] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From noreply at bro.org Sat Apr 16 00:00:17 2016 From: noreply at bro.org (Merge Tracker) Date: Sat, 16 Apr 2016 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604160700.u3G70HWI022545@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1567 [1] Bro Johanna Amann - 2016-04-11 2.5 Normal Please merge topic/johanna/intel-cert-hash BIT-1564 [2] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [3] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [4] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [5] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [6] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1506 [7] Bro Vlad Grigorescu - 2016-04-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [8] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [9] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [10] bro J-Gras [11] 2016-04-07 Fixed matching mail address intel [12] #22 [13] bro-plugins nickwallen [14] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [15] #18 [16] bro-plugins jshlbrd [17] 2016-03-03 SSDP analyzer [18] [1] BIT-1567 https://bro-tracker.atlassian.net/browse/BIT-1567 [2] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [3] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [4] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [5] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [6] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [7] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [8] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [9] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [10] Pull Request #52 https://github.com/bro/bro/pull/52 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [13] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [14] nickwallen https://github.com/nickwallen [15] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [16] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [17] jshlbrd https://github.com/jshlbrd [18] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From noreply at bro.org Sun Apr 17 00:00:16 2016 From: noreply at bro.org (Merge Tracker) Date: Sun, 17 Apr 2016 00:00:16 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604170700.u3H70GOG016058@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1567 [1] Bro Johanna Amann - 2016-04-11 2.5 Normal Please merge topic/johanna/intel-cert-hash BIT-1564 [2] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [3] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [4] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [5] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [6] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1506 [7] Bro Vlad Grigorescu - 2016-04-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [8] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [9] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [10] bro J-Gras [11] 2016-04-07 Fixed matching mail address intel [12] #22 [13] bro-plugins nickwallen [14] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [15] #18 [16] bro-plugins jshlbrd [17] 2016-03-03 SSDP analyzer [18] [1] BIT-1567 https://bro-tracker.atlassian.net/browse/BIT-1567 [2] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [3] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [4] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [5] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [6] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [7] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [8] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [9] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [10] Pull Request #52 https://github.com/bro/bro/pull/52 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [13] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [14] nickwallen https://github.com/nickwallen [15] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [16] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [17] jshlbrd https://github.com/jshlbrd [18] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From noreply at bro.org Mon Apr 18 00:00:25 2016 From: noreply at bro.org (Merge Tracker) Date: Mon, 18 Apr 2016 00:00:25 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604180700.u3I70PW4030534@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1567 [1] Bro Johanna Amann - 2016-04-11 2.5 Normal Please merge topic/johanna/intel-cert-hash BIT-1564 [2] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [3] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [4] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [5] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [6] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1506 [7] Bro Vlad Grigorescu - 2016-04-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [8] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [9] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [10] bro J-Gras [11] 2016-04-07 Fixed matching mail address intel [12] #22 [13] bro-plugins nickwallen [14] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [15] #18 [16] bro-plugins jshlbrd [17] 2016-03-03 SSDP analyzer [18] [1] BIT-1567 https://bro-tracker.atlassian.net/browse/BIT-1567 [2] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [3] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [4] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [5] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [6] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [7] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [8] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [9] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [10] Pull Request #52 https://github.com/bro/bro/pull/52 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [13] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [14] nickwallen https://github.com/nickwallen [15] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [16] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [17] jshlbrd https://github.com/jshlbrd [18] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Mon Apr 18 10:43:01 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 18 Apr 2016 12:43:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1554) broker (bro 2.4.1) fails to build against Python 3.{3, 4, 5} In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1554: ------------------------------- Priority: High (was: Normal) > broker (bro 2.4.1) fails to build against Python 3.{3,4,5} > ---------------------------------------------------------- > > Key: BIT-1554 > URL: https://bro-tracker.atlassian.net/browse/BIT-1554 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Trying to compile Bro 2.4.1 on Gentoo Linux (x86_64) with broker enabled, against CAF 0.13.2, with python, using GCC support. > Reporter: M.B. > Priority: High > Labels: build > Fix For: 2.5 > > Attachments: bro-2.4.1.ebuild, build.log > > > Bro fails to build. Details (in particular the options cmake gets called with) can be seen from the build.log. > For completeness I included the .ebuild. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 18 10:43:01 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 18 Apr 2016 12:43:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1554) broker (bro 2.4.1) fails to build against Python 3.{3, 4, 5} In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25708#comment-25708 ] Johanna Amann commented on BIT-1554: ------------------------------------ We actually should fix this soon - with only python 3 becoming the default on some systems, more and more people will have the current default Bro build fail on them... (see mailing list) > broker (bro 2.4.1) fails to build against Python 3.{3,4,5} > ---------------------------------------------------------- > > Key: BIT-1554 > URL: https://bro-tracker.atlassian.net/browse/BIT-1554 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Trying to compile Bro 2.4.1 on Gentoo Linux (x86_64) with broker enabled, against CAF 0.13.2, with python, using GCC support. > Reporter: M.B. > Priority: High > Labels: build > Fix For: 2.5 > > Attachments: bro-2.4.1.ebuild, build.log > > > Bro fails to build. Details (in particular the options cmake gets called with) can be seen from the build.log. > For completeness I included the .ebuild. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 18 20:58:00 2016 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Mon, 18 Apr 2016 22:58:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1388) Broker's integration in Bro's main/run loop In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1388?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matthias Vallentin reassigned BIT-1388: --------------------------------------- Assignee: Matthias Vallentin > Broker's integration in Bro's main/run loop > ------------------------------------------- > > Key: BIT-1388 > URL: https://bro-tracker.atlassian.net/browse/BIT-1388 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Broker > Reporter: Jon Siwek > Assignee: Matthias Vallentin > Fix For: 2.5 > > > * There's a cost to Broker queues being idle. Whenever Broker gets a chance to process messages, it looks for updates to all connections/message-queues/data-stores. That involves sending synchronous messages between actors, and for empty queues, it just gets back an empty deque object it needs to destroy. > * Broker queues integrate into Bro's run loop by exposing a file descriptor that's ready when the queue is non-empty. Users have the capability of adding arbitrary numbers of queues at run-time (e.g. they can freely add subscriptions to any amount of logs, events, etc.). Relying on select() may become a bottleneck if someone has hundreds of Broker queues, or could possibly break on some systems if FD_SETSIZE is limited to 1024. > Ideas on how to fix: > * Improve Bro's main run loop and dedicate an IOSource to each Broker queue (instead of sharing a single IOSource like they do now). There might be several things that could be tweaked in the main run loop, but at a minimum, epoll()/kqueue() could alternatively replace select(). Could also think about using something like libev (http://pod.tst.eu/http://cvs.schmorp.de/libev/ev.pod) to abstract what particular polling backend is used. Might even be able to use libev's timers to fix how Bro's timers are currently coupled w/ there being an active IOSource consistently driving time forward. > * Move the draining of Broker queues completely off to their own threads. This maybe is adding a bit too much complexity (Broker/CAF uses threads for queues, then Bro would use more threads just to talk to those other threads...). Since CAF becomes a requirement, it may be simpler to start replacing/allowing some areas of Bro's threading to be done w/ CAF actors. And then if Broker exposed an optional API to talk directly w/ CAF actors, the integration w/ Bro may actually become more straightforward. > And those ideas don't have to be mutually exclusive. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 18 20:59:00 2016 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Mon, 18 Apr 2016 22:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1447) Can't abort blocking Broker Python functions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1447?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matthias Vallentin reassigned BIT-1447: --------------------------------------- Assignee: Matthias Vallentin > Can't abort blocking Broker Python functions > -------------------------------------------- > > Key: BIT-1447 > URL: https://bro-tracker.atlassian.net/browse/BIT-1447 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Reporter: Robin Sommer > Assignee: Matthias Vallentin > Fix For: 2.5 > > > When one of Broker's Python functions block, one can't abort with CTRL-C. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 18 20:59:00 2016 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Mon, 18 Apr 2016 22:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1445) Broker crash when two stores go to the same SQLite DB In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matthias Vallentin reassigned BIT-1445: --------------------------------------- Assignee: Matthias Vallentin > Broker crash when two stores go to the same SQLite DB > ----------------------------------------------------- > > Key: BIT-1445 > URL: https://bro-tracker.atlassian.net/browse/BIT-1445 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Reporter: Robin Sommer > Assignee: Matthias Vallentin > Fix For: 2.5 > > > This crashes Bro: > {code} > [...] > local s = BrokerStore::create_master("BroCon", BrokerStore::SQLITE); > local t = BrokerStore::create_master("BroCon2", BrokerStore::SQLITE); > [...] > {code} > Both stores go to the same file because the 3rd parameter with the file name is optional and defaults to {{store.sqlite}}; and that is a problem. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 18 20:54:00 2016 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Mon, 18 Apr 2016 22:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1555) aux/broker/bindings/python/CMakeLists.txt doesn't respect -DINSTALL_LIB_DIR In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matthias Vallentin reassigned BIT-1555: --------------------------------------- Assignee: Matthias Vallentin > aux/broker/bindings/python/CMakeLists.txt doesn't respect -DINSTALL_LIB_DIR > --------------------------------------------------------------------------- > > Key: BIT-1555 > URL: https://bro-tracker.atlassian.net/browse/BIT-1555 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Building on Gentoo Linux (x86_64) > Reporter: M.B. > Assignee: Matthias Vallentin > Labels: build > Fix For: 2.5 > > Attachments: bro-2.4.1.ebuild, bro-2.4.1-fix-python-install-dir.patch > > > During a normal build, this is a non-issue, as files get installed to .../lib/... > However, in a multilib environment this may become an issue. Hence it should respect INSTALL_LIB_DIR, propagated from the top-level CMakeLists.txt. > I wrote a simple patch that simply removes the logic for re-setting PY_MOD_INSTALL_DIR, as I use this var to circumvent the issue. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 18 20:57:00 2016 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Mon, 18 Apr 2016 22:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1450) Improve Python API In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1450?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matthias Vallentin reassigned BIT-1450: --------------------------------------- Assignee: Matthias Vallentin > Improve Python API > ------------------ > > Key: BIT-1450 > URL: https://bro-tracker.atlassian.net/browse/BIT-1450 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Reporter: Robin Sommer > Assignee: Matthias Vallentin > Fix For: 2.5 > > > The Python API is a bit cumbersome still as it requires (1) manually wrapping values with {{data}} instances, and (2) also generally reflects C semantics a bit too much, leading to some "unPythonic" idioms. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 18 20:56:00 2016 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Mon, 18 Apr 2016 22:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1556) bro-2.4.1 fails to compile broker with -march=i686 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matthias Vallentin reassigned BIT-1556: --------------------------------------- Assignee: Matthias Vallentin > bro-2.4.1 fails to compile broker with -march=i686 > -------------------------------------------------- > > Key: BIT-1556 > URL: https://bro-tracker.atlassian.net/browse/BIT-1556 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Broker > Affects Versions: 2.4 > Environment: x86 chroot on Gentoo, with generic settings. E.g. -march=i686. > Reporter: M.B. > Assignee: Matthias Vallentin > Labels: build > Attachments: build.log > > > Build fails due to missing SSE support. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 18 20:57:00 2016 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Mon, 18 Apr 2016 22:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1522) Broker listener takes a long time to shut down on cluster stop/restart In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1522?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matthias Vallentin reassigned BIT-1522: --------------------------------------- Assignee: Matthias Vallentin > Broker listener takes a long time to shut down on cluster stop/restart > ---------------------------------------------------------------------- > > Key: BIT-1522 > URL: https://bro-tracker.atlassian.net/browse/BIT-1522 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Ubuntu 14.04, Bro 2.4.1 with Broker > Reporter: Stephen Hosom > Assignee: Matthias Vallentin > Fix For: 2.5 > > Attachments: broker-shutdown-test.bro > > > It looks like when shutting down Broker, the listener sticks around for an exceptionally long time (as much as a minute or more). Because of this, Broker's listener actually fails to re-bind to the port on the next cluster start silently. All Broker communication then fails to work silently. It can take a while to notice this failure, since nothing really complains. > The listener should probably shut down faster than 1 minute... but it might also make sense to add options to have the listener retry to start, or generate a failure message when it doesn't start. Maybe listener starts in bro_init should actually cause Bro to stop, so that the user sees the failure immediately? -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 18 20:54:00 2016 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Mon, 18 Apr 2016 22:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1554) broker (bro 2.4.1) fails to build against Python 3.{3, 4, 5} In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matthias Vallentin reassigned BIT-1554: --------------------------------------- Assignee: Matthias Vallentin > broker (bro 2.4.1) fails to build against Python 3.{3,4,5} > ---------------------------------------------------------- > > Key: BIT-1554 > URL: https://bro-tracker.atlassian.net/browse/BIT-1554 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Trying to compile Bro 2.4.1 on Gentoo Linux (x86_64) with broker enabled, against CAF 0.13.2, with python, using GCC support. > Reporter: M.B. > Assignee: Matthias Vallentin > Priority: High > Labels: build > Fix For: 2.5 > > Attachments: bro-2.4.1.ebuild, build.log > > > Bro fails to build. Details (in particular the options cmake gets called with) can be seen from the build.log. > For completeness I included the .ebuild. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 18 20:54:00 2016 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Mon, 18 Apr 2016 22:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1554) broker (bro 2.4.1) fails to build against Python 3.{3, 4, 5} In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25709#comment-25709 ] Matthias Vallentin commented on BIT-1554: ----------------------------------------- Fixing this "soon" would probably only be possible via a hotfix release. But since this is not a Bro issue, it doesn't seem to be the right path. We currently have major refactoring of Broker underway. In this scope, we can also convert the current bindings to Python 3. What should we do with Python 2 support? From a maintaining point of view, I'd say we should go with one version only, but I know too little about the deployment of Python 2. > broker (bro 2.4.1) fails to build against Python 3.{3,4,5} > ---------------------------------------------------------- > > Key: BIT-1554 > URL: https://bro-tracker.atlassian.net/browse/BIT-1554 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Trying to compile Bro 2.4.1 on Gentoo Linux (x86_64) with broker enabled, against CAF 0.13.2, with python, using GCC support. > Reporter: M.B. > Priority: High > Labels: build > Fix For: 2.5 > > Attachments: bro-2.4.1.ebuild, build.log > > > Bro fails to build. Details (in particular the options cmake gets called with) can be seen from the build.log. > For completeness I included the .ebuild. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From noreply at bro.org Tue Apr 19 00:00:21 2016 From: noreply at bro.org (Merge Tracker) Date: Tue, 19 Apr 2016 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604190700.u3J70LiV002033@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1567 [1] Bro Johanna Amann - 2016-04-11 2.5 Normal Please merge topic/johanna/intel-cert-hash BIT-1564 [2] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [3] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [4] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [5] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [6] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1506 [7] Bro Vlad Grigorescu - 2016-04-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [8] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [9] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [10] bro J-Gras [11] 2016-04-07 Fixed matching mail address intel [12] #22 [13] bro-plugins nickwallen [14] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [15] #18 [16] bro-plugins jshlbrd [17] 2016-03-03 SSDP analyzer [18] [1] BIT-1567 https://bro-tracker.atlassian.net/browse/BIT-1567 [2] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [3] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [4] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [5] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [6] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [7] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [8] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [9] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [10] Pull Request #52 https://github.com/bro/bro/pull/52 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [13] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [14] nickwallen https://github.com/nickwallen [15] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [16] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [17] jshlbrd https://github.com/jshlbrd [18] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Tue Apr 19 16:21:00 2016 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Tue, 19 Apr 2016 18:21:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1570) Added get_current_packet_header() bif In-Reply-To: References: Message-ID: Jan Grashoefer created BIT-1570: ----------------------------------- Summary: Added get_current_packet_header() bif Key: BIT-1570 URL: https://bro-tracker.atlassian.net/browse/BIT-1570 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Reporter: Jan Grashoefer [Pull request #65|https://github.com/bro/bro/pull/65] adds get_current_packet_header() BIF, which returns a raw_pkt_hdr record containing layer 2, 3 and 4 headers. This comes in handy e.g. for analyzing ICMP. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Tue Apr 19 16:21:01 2016 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Tue, 19 Apr 2016 18:21:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1570) Added get_current_packet_header() bif In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1570?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jan Grashoefer updated BIT-1570: -------------------------------- Status: Merge Request (was: Open) > Added get_current_packet_header() bif > ------------------------------------- > > Key: BIT-1570 > URL: https://bro-tracker.atlassian.net/browse/BIT-1570 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: Jan Grashoefer > > [Pull request #65|https://github.com/bro/bro/pull/65] adds get_current_packet_header() BIF, which returns a raw_pkt_hdr record containing layer 2, 3 and 4 headers. This comes in handy e.g. for analyzing ICMP. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From noreply at bro.org Wed Apr 20 00:00:28 2016 From: noreply at bro.org (Merge Tracker) Date: Wed, 20 Apr 2016 00:00:28 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604200700.u3K70SEW025413@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1570 [1] Bro Jan Grashoefer - 2016-04-19 - Normal Added get_current_packet_header() bif BIT-1567 [2] Bro Johanna Amann - 2016-04-11 2.5 Normal Please merge topic/johanna/intel-cert-hash BIT-1564 [3] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [4] Bro Daniel Thayer - 2016-03-30 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [5] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [6] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [7] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1506 [8] Bro Vlad Grigorescu - 2016-04-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Open Fastpath Commits ====================== Commit Component Author Date Summary ------------ ----------- ------------- ---------- --------------------------------------------- 23d2562 [9] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [10] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #65 [11] bro J-Gras [12] 2016-04-19 Added get_current_packet_header() bif [13] #52 [14] bro J-Gras [15] 2016-04-07 Fixed matching mail address intel [16] #22 [17] bro-plugins nickwallen [18] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [19] #18 [20] bro-plugins jshlbrd [21] 2016-03-03 SSDP analyzer [22] [1] BIT-1570 https://bro-tracker.atlassian.net/browse/BIT-1570 [2] BIT-1567 https://bro-tracker.atlassian.net/browse/BIT-1567 [3] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [4] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [5] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [6] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [7] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [8] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [9] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [10] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [11] Pull Request #65 https://github.com/bro/bro/pull/65 [12] J-Gras https://github.com/J-Gras [13] Merge Pull Request #65 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/packet-header [14] Pull Request #52 https://github.com/bro/bro/pull/52 [15] J-Gras https://github.com/J-Gras [16] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [17] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [18] nickwallen https://github.com/nickwallen [19] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [20] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [21] jshlbrd https://github.com/jshlbrd [22] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Wed Apr 20 04:59:01 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Wed, 20 Apr 2016 06:59:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity In-Reply-To: References: Message-ID: Adam Slagell created BIT-1571: --------------------------------- Summary: Connection summaries w/ IPv6 have poor readabiity Key: BIT-1571 URL: https://bro-tracker.atlassian.net/browse/BIT-1571 Project: Bro Issue Tracker Issue Type: Improvement Components: BroControl Affects Versions: 2.4 Reporter: Adam Slagell Assignee: Daniel Thayer Priority: Low Fix For: 2,5 Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From seth at icir.org Wed Apr 20 07:21:39 2016 From: seth at icir.org (Seth Hall) Date: Wed, 20 Apr 2016 10:21:39 -0400 Subject: [Bro-Dev] Timing regression? In-Reply-To: <20160414185219.GP64671@icir.org> References: <20160414185219.GP64671@icir.org> Message-ID: <5463EB78-21D9-4BAE-88D0-8DB31F5CCE90@icir.org> > On Apr 14, 2016, at 2:52 PM, Robin Sommer wrote: > > I just ran the external testsuite for current master on my development > system, and I'm seeing some quite increased execution times: > [ 71%] tests.ipv6 ... failed (+39.8%) > [ 85%] tests.m57-long ... failed (+9.8%) Did you ever happen to figure out what was going on with this? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jira at bro-tracker.atlassian.net Wed Apr 20 08:08:01 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 20 Apr 2016 10:08:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1506: ---------------------------------- Assignee: Johanna Amann > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Wed Apr 20 08:08:03 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 20 Apr 2016 10:08:03 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1570) Added get_current_packet_header() bif In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1570?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1570: ---------------------------------- Assignee: Johanna Amann > Added get_current_packet_header() bif > ------------------------------------- > > Key: BIT-1570 > URL: https://bro-tracker.atlassian.net/browse/BIT-1570 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: Jan Grashoefer > Assignee: Johanna Amann > > [Pull request #65|https://github.com/bro/bro/pull/65] adds get_current_packet_header() BIF, which returns a raw_pkt_hdr record containing layer 2, 3 and 4 headers. This comes in handy e.g. for analyzing ICMP. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Wed Apr 20 08:10:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 20 Apr 2016 10:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1554) broker (bro 2.4.1) fails to build against Python 3.{3, 4, 5} In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25800#comment-25800 ] Johanna Amann commented on BIT-1554: ------------------------------------ I already mentioned this to Matthias in person - but just for completeness - I think Broker should, for the forseeable future, support both Python 2 and 3, as the rest of Bro. > broker (bro 2.4.1) fails to build against Python 3.{3,4,5} > ---------------------------------------------------------- > > Key: BIT-1554 > URL: https://bro-tracker.atlassian.net/browse/BIT-1554 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Trying to compile Bro 2.4.1 on Gentoo Linux (x86_64) with broker enabled, against CAF 0.13.2, with python, using GCC support. > Reporter: M.B. > Assignee: Matthias Vallentin > Priority: High > Labels: build > Fix For: 2.5 > > Attachments: bro-2.4.1.ebuild, build.log > > > Bro fails to build. Details (in particular the options cmake gets called with) can be seen from the build.log. > For completeness I included the .ebuild. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Wed Apr 20 08:11:02 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 20 Apr 2016 10:11:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1554) broker (bro 2.4.1) fails to build against Python 3.{3, 4, 5} In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25801#comment-25801 ] Johanna Amann commented on BIT-1554: ------------------------------------ ...and to add a bit more of text - I also think we should fix this before the refactoring (hopefully it is not much). In the 2.4.1 build, broker is not enabled by default; so normally people will not trip over this. This is not the case anymore when compiling master. > broker (bro 2.4.1) fails to build against Python 3.{3,4,5} > ---------------------------------------------------------- > > Key: BIT-1554 > URL: https://bro-tracker.atlassian.net/browse/BIT-1554 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Trying to compile Bro 2.4.1 on Gentoo Linux (x86_64) with broker enabled, against CAF 0.13.2, with python, using GCC support. > Reporter: M.B. > Assignee: Matthias Vallentin > Priority: High > Labels: build > Fix For: 2.5 > > Attachments: bro-2.4.1.ebuild, build.log > > > Bro fails to build. Details (in particular the options cmake gets called with) can be seen from the build.log. > For completeness I included the .ebuild. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Wed Apr 20 08:13:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 20 Apr 2016 10:13:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1563) BrokerComm and BrokerStore namespaces should be combined In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1563?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1563: ---------------------------------- Assignee: Johanna Amann > BrokerComm and BrokerStore namespaces should be combined > -------------------------------------------------------- > > Key: BIT-1563 > URL: https://bro-tracker.atlassian.net/browse/BIT-1563 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Daniel Thayer > Assignee: Johanna Amann > Fix For: 2.5 > > > The BrokerComm and BrokerStore namespaces should be combined to > just "Broker". -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From johanna at icir.org Wed Apr 20 10:28:01 2016 From: johanna at icir.org (Johanna Amann) Date: Wed, 20 Apr 2016 10:28:01 -0700 Subject: [Bro-Dev] Deleting old branches Message-ID: <20160420172801.GB82516@wifi82.sys.ICSI.Berkeley.EDU> Hi, we currently have a ton of branches in Bro which have been merged into master (some of them a long time ago). And - I would like to delete them, unless people think they are worth keeping around for some reason. To be more specific, the branches I would like to delete are: robin/topic/writer-info topic/dnthayer/configure topic/dnthayer/doc-fixes topic/dnthayer/doc-fixes-for-2.3 topic/dnthayer/doc-improvements-2.4 topic/dnthayer/doc-updates topic/dnthayer/fix-rdp topic/dnthayer/langref topic/dnthayer/mktemp topic/dnthayer/ticket1160 topic/dnthayer/ticket1186 topic/dnthayer/ticket1206 topic/dnthayer/ticket1215 topic/dnthayer/ticket1467 topic/dnthayer/ticket1481 topic/dnthayer/ticket1503 topic/dnthayer/ticket856 topic/gilbert/plugin-api-tweak topic/hui/dnp3-udp topic/hui/modbus-events topic/jazoff/notice_file_info topic/jazoff/ssl-validation-fix topic/jazoff/suppression topic/jdopheid/BIT-1242 topic/jdopheid/bro/edits_to_installation_and_getting_started topic/jdopheid/bro_documentation topic/johanna/filter_subnet_table topic/johanna/function-recursion topic/johanna/openflow topic/johanna/stats_smb_leak topic/johanna/str-functions topic/jsiwek/asan-fixes topic/jsiwek/ascii-log-memleak-fix topic/jsiwek/bif-loader-scripts topic/jsiwek/bit-1077 topic/jsiwek/bit-1153 topic/jsiwek/bit-1156 topic/jsiwek/bit-1166 topic/jsiwek/bit-1176 topic/jsiwek/bit-1235 topic/jsiwek/bit-1240 topic/jsiwek/bit-1246 topic/jsiwek/bit-1247 topic/jsiwek/bit-1248 topic/jsiwek/bit-1280 topic/jsiwek/bit-1288 topic/jsiwek/bit-1295 topic/jsiwek/bit-1296 topic/jsiwek/bit-1298 topic/jsiwek/bit-1305 topic/jsiwek/bit-1324 topic/jsiwek/bit-1343 topic/jsiwek/bit-1350 topic/jsiwek/bit-1367 topic/jsiwek/bit-1368 topic/jsiwek/bit-1373 topic/jsiwek/bit-1376 topic/jsiwek/bit-1384 topic/jsiwek/bit-1408 topic/jsiwek/bit-342 topic/jsiwek/bit-348 topic/jsiwek/bit-788 topic/jsiwek/bit-844 topic/jsiwek/broccoli-vectors topic/jsiwek/broker topic/jsiwek/broxygen topic/jsiwek/coverity topic/jsiwek/deprecation topic/jsiwek/dnp3-udp topic/jsiwek/dns-perf topic/jsiwek/dns_fake topic/jsiwek/faf-perf topic/jsiwek/faster-val-clone topic/jsiwek/file-reassembly-merge topic/jsiwek/file-signatures topic/jsiwek/flip-roles topic/jsiwek/gre topic/jsiwek/http-file-id-caching topic/jsiwek/improve-type-checks topic/jsiwek/improve_comm_loop topic/jsiwek/jemalloc topic/jsiwek/jj-bugs topic/jsiwek/libmagic-integration topic/jsiwek/mime-multipart-boundary-leniency topic/jsiwek/misc-fixes topic/jsiwek/missing-pac-deps topic/jsiwek/missing-plugin topic/jsiwek/new-libmagic topic/jsiwek/odesc-escaping topic/jsiwek/outer_param_binding topic/jsiwek/parse-only topic/jsiwek/pktsrc-idle topic/jsiwek/remove-val-attribs topic/jsiwek/review-rafael-bro-manual-changes topic/jsiwek/snmp topic/jsiwek/socks-authentication topic/jsiwek/string-slicing-fix topic/jsiwek/tcp-improvements topic/jsiwek/while topic/matthias/bloomfilter-fix topic/rafaelb/new-Bro-Manual-Development-Edition-Update1 topic/robin/ascii-escape-normalization topic/robin/bit-348-merge topic/robin/bpf-vector topic/robin/dnp3-merge-v4 topic/robin/dynamic-plugins-2.3 topic/robin/event-dumper topic/robin/http-connect topic/robin/modbus-events-merge topic/robin/pacf topic/robin/pktsrc topic/robin/plugin-updates topic/robin/reader-writer-plugins topic/robin/rework-packets-merge topic/robin/smtp-fix topic/seth/ascii-escape-normalization topic/seth/compiler-cleanup topic/seth/deflate-missing-headers-fix topic/seth/dnp3-wrong-sizeof-argument topic/seth/dns-srv-fix topic/seth/file-analysis-exe-analyzer topic/seth/file-entropy topic/seth/files-reassembly-and-mime-updates topic/seth/files-tracking topic/seth/http-connect topic/seth/ie11-software-parsing topic/seth/json-formatter topic/seth/mime-updates topic/seth/modbus_dpd_fix topic/seth/more-file-type-ident-fixes topic/seth/radiotap topic/seth/rdp topic/seth/sip-fixes topic/seth/snmp topic/seth/socks-authentication topic/struck/BIT-1277 topic/struck/BIT-1287 topic/struck/openflow topic/vladg/bit-1410 topic/vladg/bit-1458 topic/vladg/bit-1460 topic/vladg/bit-1466 topic/vladg/bit-1528 topic/vladg/bit-1533 topic/vladg/kerberos topic/vladg/mysql topic/vladg/radius topic/vladg/rrsig topic/vladg/sip topic/vladg/socks_fix topic/vladg/ssh Johanna From jira at bro-tracker.atlassian.net Wed Apr 20 12:09:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 20 Apr 2016 14:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25802#comment-25802 ] Johanna Amann commented on BIT-1506: ------------------------------------ [~grigorescu] - one more small question: in your branch, you use the ports,brew,find binaries to find the path. Would it make sense to still, in addition, hardcode /opt/local, /usr/local and /sw just in case there are more people like me who, e.g., do not have the commands in their default search path? If that is ok, I will just do that during merging. At least at the moment I am hard pressed to come up with a disadvantage to this. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From robin at icir.org Wed Apr 20 12:49:13 2016 From: robin at icir.org (Robin Sommer) Date: Wed, 20 Apr 2016 12:49:13 -0700 Subject: [Bro-Dev] Timing regression? In-Reply-To: <5463EB78-21D9-4BAE-88D0-8DB31F5CCE90@icir.org> References: <20160414185219.GP64671@icir.org> <5463EB78-21D9-4BAE-88D0-8DB31F5CCE90@icir.org> Message-ID: <20160420194913.GL69000@icir.org> On Wed, Apr 20, 2016 at 10:21 -0400, you wrote: > Did you ever happen to figure out what was going on with this? No, but I also didn't look further. Could it be the new file identifications (i.e., the regexps)? Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From jira at bro-tracker.atlassian.net Wed Apr 20 14:54:00 2016 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Wed, 20 Apr 2016 16:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25803#comment-25803 ] Vlad Grigorescu commented on BIT-1506: -------------------------------------- [~johanna] - Sure, that's a good idea. Is it reasonable to add those to the end of the search paths, in that case, though? I'm worried about the case where, for example, I have an old OpenSSL floating around and that will get picked up first. (I haven't checked to see exactly in what order it would get added). > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From noreply at bro.org Thu Apr 21 00:00:21 2016 From: noreply at bro.org (Merge Tracker) Date: Thu, 21 Apr 2016 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604210700.u3L70LtQ018537@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------- ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1570 [1] Bro Jan Grashoefer Johanna Amann 2016-04-20 - Normal Added get_current_packet_header() bif BIT-1567 [2] Bro Johanna Amann - 2016-04-11 2.5 Normal Please merge topic/johanna/intel-cert-hash BIT-1564 [3] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [4] Bro Daniel Thayer Johanna Amann 2016-04-20 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [5] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [6] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [7] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1506 [8] Bro Vlad Grigorescu Johanna Amann 2016-04-20 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Open Fastpath Commits ====================== Commit Component Author Date Summary ------------ ----------- ------------- ---------- --------------------------------------------- 23d2562 [9] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [10] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #65 [11] bro J-Gras [12] 2016-04-20 Added get_current_packet_header() bif [13] #52 [14] bro J-Gras [15] 2016-04-07 Fixed matching mail address intel [16] #22 [17] bro-plugins nickwallen [18] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [19] #18 [20] bro-plugins jshlbrd [21] 2016-03-03 SSDP analyzer [22] [1] BIT-1570 https://bro-tracker.atlassian.net/browse/BIT-1570 [2] BIT-1567 https://bro-tracker.atlassian.net/browse/BIT-1567 [3] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [4] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [5] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [6] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [7] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [8] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [9] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [10] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [11] Pull Request #65 https://github.com/bro/bro/pull/65 [12] J-Gras https://github.com/J-Gras [13] Merge Pull Request #65 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/packet-header [14] Pull Request #52 https://github.com/bro/bro/pull/52 [15] J-Gras https://github.com/J-Gras [16] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [17] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [18] nickwallen https://github.com/nickwallen [19] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [20] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [21] jshlbrd https://github.com/jshlbrd [22] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Thu Apr 21 08:23:04 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 21 Apr 2016 10:23:04 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25804#comment-25804 ] Johanna Amann commented on BIT-1506: ------------------------------------ Yup, that actually was my plan :). Thanks. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Thu Apr 21 14:50:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 21 Apr 2016 16:50:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1506: ------------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From noreply at bro.org Fri Apr 22 00:00:21 2016 From: noreply at bro.org (Merge Tracker) Date: Fri, 22 Apr 2016 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604220700.u3M70LhX010292@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------- ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1570 [1] Bro Jan Grashoefer Johanna Amann 2016-04-20 - Normal Added get_current_packet_header() bif BIT-1567 [2] Bro Johanna Amann - 2016-04-11 2.5 Normal Please merge topic/johanna/intel-cert-hash BIT-1564 [3] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1563 [4] Bro Daniel Thayer Johanna Amann 2016-04-20 2.5 Normal BrokerComm and BrokerStore namespaces should be combined BIT-1549 [5] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [6] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [7] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [8] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [9] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #65 [10] bro J-Gras [11] 2016-04-20 Added get_current_packet_header() bif [12] #52 [13] bro J-Gras [14] 2016-04-07 Fixed matching mail address intel [15] #22 [16] bro-plugins nickwallen [17] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [18] #18 [19] bro-plugins jshlbrd [20] 2016-03-03 SSDP analyzer [21] [1] BIT-1570 https://bro-tracker.atlassian.net/browse/BIT-1570 [2] BIT-1567 https://bro-tracker.atlassian.net/browse/BIT-1567 [3] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [4] BIT-1563 https://bro-tracker.atlassian.net/browse/BIT-1563 [5] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [6] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [7] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [8] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [9] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [10] Pull Request #65 https://github.com/bro/bro/pull/65 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #65 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/packet-header [13] Pull Request #52 https://github.com/bro/bro/pull/52 [14] J-Gras https://github.com/J-Gras [15] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [16] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [17] nickwallen https://github.com/nickwallen [18] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [19] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [20] jshlbrd https://github.com/jshlbrd [21] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Fri Apr 22 08:35:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 22 Apr 2016 10:35:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1567) Please merge topic/johanna/intel-cert-hash In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1567: --------------------------------- Assignee: Robin Sommer > Please merge topic/johanna/intel-cert-hash > ------------------------------------------ > > Key: BIT-1567 > URL: https://bro-tracker.atlassian.net/browse/BIT-1567 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.4 > Reporter: Johanna Amann > Assignee: Robin Sommer > Fix For: 2.5 > > > Please merge topic/johanna/intel-cert-hash; this patch makes it so that the indicator type INTEL::CERT_HASH actually matches against certificate hashes -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Fri Apr 22 10:29:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 22 Apr 2016 12:29:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1567) Please merge topic/johanna/intel-cert-hash In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1567: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Please merge topic/johanna/intel-cert-hash > ------------------------------------------ > > Key: BIT-1567 > URL: https://bro-tracker.atlassian.net/browse/BIT-1567 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.4 > Reporter: Johanna Amann > Assignee: Robin Sommer > Fix For: 2.5 > > > Please merge topic/johanna/intel-cert-hash; this patch makes it so that the indicator type INTEL::CERT_HASH actually matches against certificate hashes -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Fri Apr 22 16:46:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 22 Apr 2016 18:46:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1563) BrokerComm and BrokerStore namespaces should be combined In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1563?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1563: ------------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > BrokerComm and BrokerStore namespaces should be combined > -------------------------------------------------------- > > Key: BIT-1563 > URL: https://bro-tracker.atlassian.net/browse/BIT-1563 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Daniel Thayer > Assignee: Johanna Amann > Fix For: 2.5 > > > The BrokerComm and BrokerStore namespaces should be combined to > just "Broker". -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Fri Apr 22 16:46:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 22 Apr 2016 18:46:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1570) Added get_current_packet_header() bif In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1570?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1570: ------------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Added get_current_packet_header() bif > ------------------------------------- > > Key: BIT-1570 > URL: https://bro-tracker.atlassian.net/browse/BIT-1570 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: Jan Grashoefer > Assignee: Johanna Amann > > [Pull request #65|https://github.com/bro/bro/pull/65] adds get_current_packet_header() BIF, which returns a raw_pkt_hdr record containing layer 2, 3 and 4 headers. This comes in handy e.g. for analyzing ICMP. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From noreply at bro.org Sat Apr 23 00:00:43 2016 From: noreply at bro.org (Merge Tracker) Date: Sat, 23 Apr 2016 00:00:43 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604230700.u3N70hY9010867@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1564 [1] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1549 [2] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [3] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [4] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [5] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [6] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #67 [7] bro marktayl [8] 2016-04-22 Add DNS "CAA" RR type and event. [9] #66 [10] bro marktayl [11] 2016-04-22 DNS TTL responses are to be unsigned. [12] #52 [13] bro J-Gras [14] 2016-04-07 Fixed matching mail address intel [15] #22 [16] bro-plugins nickwallen [17] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [18] #18 [19] bro-plugins jshlbrd [20] 2016-03-03 SSDP analyzer [21] [1] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [2] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [3] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [4] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [5] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [6] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [7] Pull Request #67 https://github.com/bro/bro/pull/67 [8] marktayl https://github.com/marktayl [9] Merge Pull Request #67 with git pull --no-ff --no-commit https://github.com/marktayl/bro.git dns-caa-decode [10] Pull Request #66 https://github.com/bro/bro/pull/66 [11] marktayl https://github.com/marktayl [12] Merge Pull Request #66 with git pull --no-ff --no-commit https://github.com/marktayl/bro.git dns-negative-ttl [13] Pull Request #52 https://github.com/bro/bro/pull/52 [14] J-Gras https://github.com/J-Gras [15] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [16] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [17] nickwallen https://github.com/nickwallen [18] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [19] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [20] jshlbrd https://github.com/jshlbrd [21] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From noreply at bro.org Sun Apr 24 00:00:17 2016 From: noreply at bro.org (Merge Tracker) Date: Sun, 24 Apr 2016 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604240700.u3O70HvL029584@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1564 [1] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1549 [2] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [3] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [4] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [5] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [6] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #67 [7] bro marktayl [8] 2016-04-22 Add DNS "CAA" RR type and event. [9] #66 [10] bro marktayl [11] 2016-04-22 DNS TTL responses are to be unsigned. [12] #52 [13] bro J-Gras [14] 2016-04-07 Fixed matching mail address intel [15] #22 [16] bro-plugins nickwallen [17] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [18] #18 [19] bro-plugins jshlbrd [20] 2016-03-03 SSDP analyzer [21] [1] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [2] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [3] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [4] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [5] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [6] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [7] Pull Request #67 https://github.com/bro/bro/pull/67 [8] marktayl https://github.com/marktayl [9] Merge Pull Request #67 with git pull --no-ff --no-commit https://github.com/marktayl/bro.git dns-caa-decode [10] Pull Request #66 https://github.com/bro/bro/pull/66 [11] marktayl https://github.com/marktayl [12] Merge Pull Request #66 with git pull --no-ff --no-commit https://github.com/marktayl/bro.git dns-negative-ttl [13] Pull Request #52 https://github.com/bro/bro/pull/52 [14] J-Gras https://github.com/J-Gras [15] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [16] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [17] nickwallen https://github.com/nickwallen [18] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [19] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [20] jshlbrd https://github.com/jshlbrd [21] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From noreply at bro.org Mon Apr 25 00:00:30 2016 From: noreply at bro.org (Merge Tracker) Date: Mon, 25 Apr 2016 00:00:30 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604250700.u3P70UMH014911@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1564 [1] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1549 [2] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [3] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [4] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [5] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [6] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #67 [7] bro marktayl [8] 2016-04-22 Add DNS "CAA" RR type and event. [9] #66 [10] bro marktayl [11] 2016-04-22 DNS TTL responses are to be unsigned. [12] #52 [13] bro J-Gras [14] 2016-04-07 Fixed matching mail address intel [15] #22 [16] bro-plugins nickwallen [17] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [18] #18 [19] bro-plugins jshlbrd [20] 2016-03-03 SSDP analyzer [21] [1] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [2] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [3] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [4] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [5] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [6] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [7] Pull Request #67 https://github.com/bro/bro/pull/67 [8] marktayl https://github.com/marktayl [9] Merge Pull Request #67 with git pull --no-ff --no-commit https://github.com/marktayl/bro.git dns-caa-decode [10] Pull Request #66 https://github.com/bro/bro/pull/66 [11] marktayl https://github.com/marktayl [12] Merge Pull Request #66 with git pull --no-ff --no-commit https://github.com/marktayl/bro.git dns-negative-ttl [13] Pull Request #52 https://github.com/bro/bro/pull/52 [14] J-Gras https://github.com/J-Gras [15] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [16] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [17] nickwallen https://github.com/nickwallen [18] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [19] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [20] jshlbrd https://github.com/jshlbrd [21] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Mon Apr 25 14:57:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Mon, 25 Apr 2016 16:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25806#comment-25806 ] Adam Slagell commented on BIT-1571: ----------------------------------- I also noticed an error. The port column is really a port or ICMP code. The correct fix is probably to change the behavior of the python script to not count a port number for ICMP as those aren't ports. > Connection summaries w/ IPv6 have poor readabiity > ------------------------------------------------- > > Key: BIT-1571 > URL: https://bro-tracker.atlassian.net/browse/BIT-1571 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: 2.4 > Reporter: Adam Slagell > Assignee: Daniel Thayer > Priority: Low > Fix For: 2,5 > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt > > > The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 25 14:58:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Mon, 25 Apr 2016 16:58:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25806#comment-25806 ] Adam Slagell edited comment on BIT-1571 at 4/25/16 4:57 PM: ------------------------------------------------------------ I also noticed an error. The port column is really a port or ICMP code. The correct fix is probably to change the behavior of the python script to not count a port number for ICMP as those aren't ports. Here is an example. "port" 135 and 136 are ICMP codes in this summary. == fe80::/6 === 2016-04-25-08-41-20 - 2016-04-25-13-55-08 - Connections 909.0 - Payload 859.5k - Ports | Sources | Destinations | Services | Protocols | States | 136 55.9% | fe80::201:5cff:fe63:1846#1 55.4% | ff02::fb#2 40.7% | - 59.3% | 1 57.5% | OTH 57.5% | 5353 40.7% | fe80::f299:bfff:fe00:4bd0#3 42.8% | ff02::1:ff02:7503#4 7.6% | dns 40.7% | 17 42.5% | S0 42.1% | 500 1.8% | fd1e:715a:47a1:67c5:d5f:b0cd:b68f:ac6c#5 1.7% | ff02::1:ff02:e0e3#6 6.6% | | | SF 0.3% | 135 1.7% | fd1e:715a:47a1:67c5:756e:dc63:f20d:4c92#7 0.1% | ff02::1:ff89:dce0#8 2.5% | | | | | | fe80::201:5cff:fe63:1846#9 2.1% | | | | | | 2001:558:6033:197:211c:1c06:2d22:5a23#10 2.0% | | | | | | fe80::f299:bfff:fe00:4bd0#11 1.9% | | | | | | ff02::1:ff22:157f#12 1.8% | | | | | | fd1e:715a:47a1:67c5:51aa:889:3ca8:e4bf#13 1.8% | | | | | | ff02::1:ff9c:2584#14 1.0% | | | | was (Author: slagell): I also noticed an error. The port column is really a port or ICMP code. The correct fix is probably to change the behavior of the python script to not count a port number for ICMP as those aren't ports. > Connection summaries w/ IPv6 have poor readabiity > ------------------------------------------------- > > Key: BIT-1571 > URL: https://bro-tracker.atlassian.net/browse/BIT-1571 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: 2.4 > Reporter: Adam Slagell > Assignee: Daniel Thayer > Priority: Low > Fix For: 2,5 > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt > > > The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 25 14:59:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Mon, 25 Apr 2016 16:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25806#comment-25806 ] Adam Slagell edited comment on BIT-1571 at 4/25/16 4:58 PM: ------------------------------------------------------------ I also noticed an error. The port column is really a port or ICMP code. The correct fix is probably to change the behavior of the python script to not count a port number for ICMP as those aren't ports. Here is an example. "port" 135 and 136 are ICMP codes in this summary. {{ - Connections 909.0 - Payload 859.5k - Ports | Sources | Destinations | Services | Protocols | States | 136 55.9% | fe80::201:5cff:fe63:1846#1 55.4% | ff02::fb#2 40.7% | - 59.3% | 1 57.5% | OTH 57.5% | 5353 40.7% | fe80::f299:bfff:fe00:4bd0#3 42.8% | ff02::1:ff02:7503#4 7.6% | dns 40.7% | 17 42.5% | S0 42.1% | 500 1.8% | fd1e:715a:47a1:67c5:d5f:b0cd:b68f:ac6c#5 1.7% | ff02::1:ff02:e0e3#6 6.6% | | | SF 0.3% | 135 1.7% | fd1e:715a:47a1:67c5:756e:dc63:f20d:4c92#7 0.1% | ff02::1:ff89:dce0#8 2.5% | | | | | | fe80::201:5cff:fe63:1846#9 2.1% | | | | | | 2001:558:6033:197:211c:1c06:2d22:5a23#10 2.0% | | | | | | fe80::f299:bfff:fe00:4bd0#11 1.9% | | | | | | ff02::1:ff22:157f#12 1.8% | | | | | | fd1e:715a:47a1:67c5:51aa:889:3ca8:e4bf#13 1.8% | | | | | | ff02::1:ff9c:2584#14 1.0% | | | | }} was (Author: slagell): I also noticed an error. The port column is really a port or ICMP code. The correct fix is probably to change the behavior of the python script to not count a port number for ICMP as those aren't ports. Here is an example. "port" 135 and 136 are ICMP codes in this summary. == fe80::/6 === 2016-04-25-08-41-20 - 2016-04-25-13-55-08 - Connections 909.0 - Payload 859.5k - Ports | Sources | Destinations | Services | Protocols | States | 136 55.9% | fe80::201:5cff:fe63:1846#1 55.4% | ff02::fb#2 40.7% | - 59.3% | 1 57.5% | OTH 57.5% | 5353 40.7% | fe80::f299:bfff:fe00:4bd0#3 42.8% | ff02::1:ff02:7503#4 7.6% | dns 40.7% | 17 42.5% | S0 42.1% | 500 1.8% | fd1e:715a:47a1:67c5:d5f:b0cd:b68f:ac6c#5 1.7% | ff02::1:ff02:e0e3#6 6.6% | | | SF 0.3% | 135 1.7% | fd1e:715a:47a1:67c5:756e:dc63:f20d:4c92#7 0.1% | ff02::1:ff89:dce0#8 2.5% | | | | | | fe80::201:5cff:fe63:1846#9 2.1% | | | | | | 2001:558:6033:197:211c:1c06:2d22:5a23#10 2.0% | | | | | | fe80::f299:bfff:fe00:4bd0#11 1.9% | | | | | | ff02::1:ff22:157f#12 1.8% | | | | | | fd1e:715a:47a1:67c5:51aa:889:3ca8:e4bf#13 1.8% | | | | | | ff02::1:ff9c:2584#14 1.0% | | | | > Connection summaries w/ IPv6 have poor readabiity > ------------------------------------------------- > > Key: BIT-1571 > URL: https://bro-tracker.atlassian.net/browse/BIT-1571 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: 2.4 > Reporter: Adam Slagell > Assignee: Daniel Thayer > Priority: Low > Fix For: 2,5 > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt > > > The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From johanna at icir.org Mon Apr 25 15:56:04 2016 From: johanna at icir.org (Johanna Amann) Date: Mon, 25 Apr 2016 15:56:04 -0700 Subject: [Bro-Dev] Deleting old branches In-Reply-To: <20160420172801.GB82516@wifi82.sys.ICSI.Berkeley.EDU> References: <20160420172801.GB82516@wifi82.sys.ICSI.Berkeley.EDU> Message-ID: <20160425225603.GA29445@Beezling.local> Just one more warning - if no one complains, I will go ahead and delete all of this on Friday. Johanna On Wed, Apr 20, 2016 at 10:28:01AM -0700, Johanna Amann wrote: > Hi, > > we currently have a ton of branches in Bro which have been merged into > master (some of them a long time ago). And - I would like to delete them, > unless people think they are worth keeping around for some reason. > > To be more specific, the branches I would like to delete are: > > robin/topic/writer-info > topic/dnthayer/configure > topic/dnthayer/doc-fixes > topic/dnthayer/doc-fixes-for-2.3 > topic/dnthayer/doc-improvements-2.4 > topic/dnthayer/doc-updates > topic/dnthayer/fix-rdp > topic/dnthayer/langref > topic/dnthayer/mktemp > topic/dnthayer/ticket1160 > topic/dnthayer/ticket1186 > topic/dnthayer/ticket1206 > topic/dnthayer/ticket1215 > topic/dnthayer/ticket1467 > topic/dnthayer/ticket1481 > topic/dnthayer/ticket1503 > topic/dnthayer/ticket856 > topic/gilbert/plugin-api-tweak > topic/hui/dnp3-udp > topic/hui/modbus-events > topic/jazoff/notice_file_info > topic/jazoff/ssl-validation-fix > topic/jazoff/suppression > topic/jdopheid/BIT-1242 > topic/jdopheid/bro/edits_to_installation_and_getting_started > topic/jdopheid/bro_documentation > topic/johanna/filter_subnet_table > topic/johanna/function-recursion > topic/johanna/openflow > topic/johanna/stats_smb_leak > topic/johanna/str-functions > topic/jsiwek/asan-fixes > topic/jsiwek/ascii-log-memleak-fix > topic/jsiwek/bif-loader-scripts > topic/jsiwek/bit-1077 > topic/jsiwek/bit-1153 > topic/jsiwek/bit-1156 > topic/jsiwek/bit-1166 > topic/jsiwek/bit-1176 > topic/jsiwek/bit-1235 > topic/jsiwek/bit-1240 > topic/jsiwek/bit-1246 > topic/jsiwek/bit-1247 > topic/jsiwek/bit-1248 > topic/jsiwek/bit-1280 > topic/jsiwek/bit-1288 > topic/jsiwek/bit-1295 > topic/jsiwek/bit-1296 > topic/jsiwek/bit-1298 > topic/jsiwek/bit-1305 > topic/jsiwek/bit-1324 > topic/jsiwek/bit-1343 > topic/jsiwek/bit-1350 > topic/jsiwek/bit-1367 > topic/jsiwek/bit-1368 > topic/jsiwek/bit-1373 > topic/jsiwek/bit-1376 > topic/jsiwek/bit-1384 > topic/jsiwek/bit-1408 > topic/jsiwek/bit-342 > topic/jsiwek/bit-348 > topic/jsiwek/bit-788 > topic/jsiwek/bit-844 > topic/jsiwek/broccoli-vectors > topic/jsiwek/broker > topic/jsiwek/broxygen > topic/jsiwek/coverity > topic/jsiwek/deprecation > topic/jsiwek/dnp3-udp > topic/jsiwek/dns-perf > topic/jsiwek/dns_fake > topic/jsiwek/faf-perf > topic/jsiwek/faster-val-clone > topic/jsiwek/file-reassembly-merge > topic/jsiwek/file-signatures > topic/jsiwek/flip-roles > topic/jsiwek/gre > topic/jsiwek/http-file-id-caching > topic/jsiwek/improve-type-checks > topic/jsiwek/improve_comm_loop > topic/jsiwek/jemalloc > topic/jsiwek/jj-bugs > topic/jsiwek/libmagic-integration > topic/jsiwek/mime-multipart-boundary-leniency > topic/jsiwek/misc-fixes > topic/jsiwek/missing-pac-deps > topic/jsiwek/missing-plugin > topic/jsiwek/new-libmagic > topic/jsiwek/odesc-escaping > topic/jsiwek/outer_param_binding > topic/jsiwek/parse-only > topic/jsiwek/pktsrc-idle > topic/jsiwek/remove-val-attribs > topic/jsiwek/review-rafael-bro-manual-changes > topic/jsiwek/snmp > topic/jsiwek/socks-authentication > topic/jsiwek/string-slicing-fix > topic/jsiwek/tcp-improvements > topic/jsiwek/while > topic/matthias/bloomfilter-fix > topic/rafaelb/new-Bro-Manual-Development-Edition-Update1 > topic/robin/ascii-escape-normalization > topic/robin/bit-348-merge > topic/robin/bpf-vector > topic/robin/dnp3-merge-v4 > topic/robin/dynamic-plugins-2.3 > topic/robin/event-dumper > topic/robin/http-connect > topic/robin/modbus-events-merge > topic/robin/pacf > topic/robin/pktsrc > topic/robin/plugin-updates > topic/robin/reader-writer-plugins > topic/robin/rework-packets-merge > topic/robin/smtp-fix > topic/seth/ascii-escape-normalization > topic/seth/compiler-cleanup > topic/seth/deflate-missing-headers-fix > topic/seth/dnp3-wrong-sizeof-argument > topic/seth/dns-srv-fix > topic/seth/file-analysis-exe-analyzer > topic/seth/file-entropy > topic/seth/files-reassembly-and-mime-updates > topic/seth/files-tracking > topic/seth/http-connect > topic/seth/ie11-software-parsing > topic/seth/json-formatter > topic/seth/mime-updates > topic/seth/modbus_dpd_fix > topic/seth/more-file-type-ident-fixes > topic/seth/radiotap > topic/seth/rdp > topic/seth/sip-fixes > topic/seth/snmp > topic/seth/socks-authentication > topic/struck/BIT-1277 > topic/struck/BIT-1287 > topic/struck/openflow > topic/vladg/bit-1410 > topic/vladg/bit-1458 > topic/vladg/bit-1460 > topic/vladg/bit-1466 > topic/vladg/bit-1528 > topic/vladg/bit-1533 > topic/vladg/kerberos > topic/vladg/mysql > topic/vladg/radius > topic/vladg/rrsig > topic/vladg/sip > topic/vladg/socks_fix > topic/vladg/ssh > > Johanna > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > > From jira at bro-tracker.atlassian.net Mon Apr 25 17:03:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 25 Apr 2016 19:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1572) Please merge topic/johanna/intel-uid-fuid In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1572: ------------------------------- Status: Merge Request (was: Open) > Please merge topic/johanna/intel-uid-fuid > ----------------------------------------- > > Key: BIT-1572 > URL: https://bro-tracker.atlassian.net/browse/BIT-1572 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.5 > > > Please merge topic/johanna/intel-uid-fuid. > This patch allows users to provide the fuid or the connection id directly, in case they do not have access to either in the event that they handle. > An example for this is the handling of certificates in SSL, where the fa_file record cannot be retained because this would create a cyclic data structure. > This patch also provides file IDs for hostname matches in certificates, which was not possible with the previous API. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From jira at bro-tracker.atlassian.net Mon Apr 25 17:03:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 25 Apr 2016 19:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1572) Please merge topic/johanna/intel-uid-fuid In-Reply-To: References: Message-ID: Johanna Amann created BIT-1572: ---------------------------------- Summary: Please merge topic/johanna/intel-uid-fuid Key: BIT-1572 URL: https://bro-tracker.atlassian.net/browse/BIT-1572 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.5 Please merge topic/johanna/intel-uid-fuid. This patch allows users to provide the fuid or the connection id directly, in case they do not have access to either in the event that they handle. An example for this is the handling of certificates in SSL, where the fa_file record cannot be retained because this would create a cyclic data structure. This patch also provides file IDs for hostname matches in certificates, which was not possible with the previous API. -- This message was sent by Atlassian JIRA (v7.2.0-OD-05-030#72002) From seth at icir.org Mon Apr 25 22:23:33 2016 From: seth at icir.org (Seth Hall) Date: Tue, 26 Apr 2016 01:23:33 -0400 Subject: [Bro-Dev] Timing regression? In-Reply-To: <20160420194913.GL69000@icir.org> References: <20160414185219.GP64671@icir.org> <5463EB78-21D9-4BAE-88D0-8DB31F5CCE90@icir.org> <20160420194913.GL69000@icir.org> Message-ID: <04727CD0-D8C3-4EA6-A22E-0160B2BC78B9@icir.org> > On Apr 20, 2016, at 3:49 PM, Robin Sommer wrote: > > No, but I also didn't look further. Could it be the new file > identifications (i.e., the regexps)? That was my thought too. I'll have to look into DFA state creations to see if we've walked into that problem again. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From noreply at bro.org Tue Apr 26 00:00:26 2016 From: noreply at bro.org (Merge Tracker) Date: Tue, 26 Apr 2016 00:00:26 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604260700.u3Q70QxS003090@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1572 [1] Bro Johanna Amann - 2016-04-25 2.5 Normal Please merge topic/johanna/intel-uid-fuid BIT-1564 [2] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1549 [3] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [4] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [5] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [6] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [7] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [8] bro J-Gras [9] 2016-04-07 Fixed matching mail address intel [10] #22 [11] bro-plugins nickwallen [12] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [13] #18 [14] bro-plugins jshlbrd [15] 2016-03-03 SSDP analyzer [16] [1] BIT-1572 https://bro-tracker.atlassian.net/browse/BIT-1572 [2] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [3] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [4] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [5] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [6] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [7] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [8] Pull Request #52 https://github.com/bro/bro/pull/52 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [11] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [12] nickwallen https://github.com/nickwallen [13] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [14] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [15] jshlbrd https://github.com/jshlbrd [16] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Tue Apr 26 06:07:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 26 Apr 2016 08:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25900#comment-25900 ] Adam Slagell commented on BIT-1571: ----------------------------------- Talking with Seth, he agrees that it probably just makes more sense to leave ICMP out of the connection summaries. > Connection summaries w/ IPv6 have poor readabiity > ------------------------------------------------- > > Key: BIT-1571 > URL: https://bro-tracker.atlassian.net/browse/BIT-1571 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: 2.4 > Reporter: Adam Slagell > Assignee: Daniel Thayer > Priority: Low > Fix For: 2,5 > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt > > > The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From vlad at grigorescu.org Tue Apr 26 07:04:24 2016 From: vlad at grigorescu.org (Vlad Grigorescu) Date: Tue, 26 Apr 2016 09:04:24 -0500 Subject: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity In-Reply-To: References: Message-ID: I'm not sure I agree without additional context. ICMP exfil is a known technique. Wouldn't you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic? What I would recommend instead is simply adding the protocols to the ports. So, instead of "top ports: 53, 80, 443, 8" you would see: "top ports: 53/udp, 80/tcp, 443/tcp, 8/icmp" Would this be sufficient to solve the ICMP/port number confusion? On Tue, Apr 26, 2016 at 8:07 AM, Adam Slagell (JIRA) < jira at bro-tracker.atlassian.net> wrote: > > [ > https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25900#comment-25900 > ] > > Adam Slagell commented on BIT-1571: > ----------------------------------- > > Talking with Seth, he agrees that it probably just makes more sense to > leave ICMP out of the connection summaries. > > > Connection summaries w/ IPv6 have poor readabiity > > ------------------------------------------------- > > > > Key: BIT-1571 > > URL: https://bro-tracker.atlassian.net/browse/BIT-1571 > > Project: Bro Issue Tracker > > Issue Type: Improvement > > Components: BroControl > > Affects Versions: 2.4 > > Reporter: Adam Slagell > > Assignee: Daniel Thayer > > Priority: Low > > Fix For: 2,5 > > > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt > > > > > > The variable length of IPv6 and being mixed with IPv4 causes alignment > issues with the white space in the connection summary emails. > > > > -- > This message was sent by Atlassian JIRA > (v1000.5.0#72002) > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160426/dd3cec63/attachment.html From slagell at illinois.edu Tue Apr 26 07:10:17 2016 From: slagell at illinois.edu (Slagell, Adam J) Date: Tue, 26 Apr 2016 14:10:17 +0000 Subject: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity In-Reply-To: References: Message-ID: <7AEEF100-2020-423E-A033-50DA3D960830@illinois.edu> Or don?t count it in the port statistics, but still count it in the protocol stats. So you would see a ton of protocol #1 But I think I like your suggestion better because it separates things like 53/tcp and 53/udp. On Apr 26, 2016, at 9:04 AM, Vlad Grigorescu > wrote: I'm not sure I agree without additional context. ICMP exfil is a known technique. Wouldn't you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic? What I would recommend instead is simply adding the protocols to the ports. So, instead of "top ports: 53, 80, 443, 8" you would see: "top ports: 53/udp, 80/tcp, 443/tcp, 8/icmp" Would this be sufficient to solve the ICMP/port number confusion? On Tue, Apr 26, 2016 at 8:07 AM, Adam Slagell (JIRA) > wrote: [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25900#comment-25900 ] Adam Slagell commented on BIT-1571: ----------------------------------- Talking with Seth, he agrees that it probably just makes more sense to leave ICMP out of the connection summaries. > Connection summaries w/ IPv6 have poor readabiity > ------------------------------------------------- > > Key: BIT-1571 > URL: https://bro-tracker.atlassian.net/browse/BIT-1571 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: 2.4 > Reporter: Adam Slagell > Assignee: Daniel Thayer > Priority: Low > Fix For: 2,5 > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt > > > The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) _______________________________________________ bro-dev mailing list bro-dev at bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev _______________________________________________ bro-dev mailing list bro-dev at bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev ------ Adam J. Slagell Chief Information Security Officer Director, Cybersecurity Division National Center for Supercomputing Applications University of Illinois at Urbana-Champaign www.slagell.info "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160426/6446b6c0/attachment-0001.html From jira at bro-tracker.atlassian.net Tue Apr 26 07:12:01 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 26 Apr 2016 09:12:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1571: ------------------------------ Attachment: text.html Or don?t count it in the port statistics, but still count it in the protocol stats. So you would see a ton of protocol #1 But I think I like your suggestion better because it separates things like 53/tcp and 53/udp. On Apr 26, 2016, at 9:04 AM, Vlad Grigorescu > wrote: I'm not sure I agree without additional context. ICMP exfil is a known technique. Wouldn't you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic? What I would recommend instead is simply adding the protocols to the ports. So, instead of "top ports: 53, 80, 443, 8" you would see: "top ports: 53/udp, 80/tcp, 443/tcp, 8/icmp" Would this be sufficient to solve the ICMP/port number confusion? On Tue, Apr 26, 2016 at 8:07 AM, Adam Slagell (JIRA) > wrote: [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25900#comment-25900 ] Adam Slagell commented on BIT-1571: ----------------------------------- Talking with Seth, he agrees that it probably just makes more sense to leave ICMP out of the connection summaries. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) _______________________________________________ bro-dev mailing list bro-dev at bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev _______________________________________________ bro-dev mailing list bro-dev at bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev ------ Adam J. Slagell Chief Information Security Officer Director, Cybersecurity Division National Center for Supercomputing Applications University of Illinois at Urbana-Champaign www.slagell.info "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." > Connection summaries w/ IPv6 have poor readabiity > ------------------------------------------------- > > Key: BIT-1571 > URL: https://bro-tracker.atlassian.net/browse/BIT-1571 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: 2.4 > Reporter: Adam Slagell > Assignee: Daniel Thayer > Priority: Low > Fix For: 2,5 > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt, text.html > > > The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From vlad at grigorescu.org Tue Apr 26 07:12:33 2016 From: vlad at grigorescu.org (Vlad Grigorescu) Date: Tue, 26 Apr 2016 09:12:33 -0500 Subject: [Bro-Dev] Deleting old branches In-Reply-To: <20160425225603.GA29445@Beezling.local> References: <20160420172801.GB82516@wifi82.sys.ICSI.Berkeley.EDU> <20160425225603.GA29445@Beezling.local> Message-ID: Hooray, thanks for taking this on! I just did a quick check for branches named ticket* or bit* and all those tickets have been closed (I wanted to check if they had been left open with the idea that someone would circle back to that branch and add feature X). >From my end, all the topic/vladg branches can be deleted. --Vlad On Mon, Apr 25, 2016 at 5:56 PM, Johanna Amann wrote: > Just one more warning - if no one complains, I will go ahead and delete > all of this on Friday. > > Johanna > > On Wed, Apr 20, 2016 at 10:28:01AM -0700, Johanna Amann wrote: > > Hi, > > > > we currently have a ton of branches in Bro which have been merged into > > master (some of them a long time ago). And - I would like to delete them, > > unless people think they are worth keeping around for some reason. > > > > To be more specific, the branches I would like to delete are: > > > > robin/topic/writer-info > > topic/dnthayer/configure > > topic/dnthayer/doc-fixes > > topic/dnthayer/doc-fixes-for-2.3 > > topic/dnthayer/doc-improvements-2.4 > > topic/dnthayer/doc-updates > > topic/dnthayer/fix-rdp > > topic/dnthayer/langref > > topic/dnthayer/mktemp > > topic/dnthayer/ticket1160 > > topic/dnthayer/ticket1186 > > topic/dnthayer/ticket1206 > > topic/dnthayer/ticket1215 > > topic/dnthayer/ticket1467 > > topic/dnthayer/ticket1481 > > topic/dnthayer/ticket1503 > > topic/dnthayer/ticket856 > > topic/gilbert/plugin-api-tweak > > topic/hui/dnp3-udp > > topic/hui/modbus-events > > topic/jazoff/notice_file_info > > topic/jazoff/ssl-validation-fix > > topic/jazoff/suppression > > topic/jdopheid/BIT-1242 > > topic/jdopheid/bro/edits_to_installation_and_getting_started > > topic/jdopheid/bro_documentation > > topic/johanna/filter_subnet_table > > topic/johanna/function-recursion > > topic/johanna/openflow > > topic/johanna/stats_smb_leak > > topic/johanna/str-functions > > topic/jsiwek/asan-fixes > > topic/jsiwek/ascii-log-memleak-fix > > topic/jsiwek/bif-loader-scripts > > topic/jsiwek/bit-1077 > > topic/jsiwek/bit-1153 > > topic/jsiwek/bit-1156 > > topic/jsiwek/bit-1166 > > topic/jsiwek/bit-1176 > > topic/jsiwek/bit-1235 > > topic/jsiwek/bit-1240 > > topic/jsiwek/bit-1246 > > topic/jsiwek/bit-1247 > > topic/jsiwek/bit-1248 > > topic/jsiwek/bit-1280 > > topic/jsiwek/bit-1288 > > topic/jsiwek/bit-1295 > > topic/jsiwek/bit-1296 > > topic/jsiwek/bit-1298 > > topic/jsiwek/bit-1305 > > topic/jsiwek/bit-1324 > > topic/jsiwek/bit-1343 > > topic/jsiwek/bit-1350 > > topic/jsiwek/bit-1367 > > topic/jsiwek/bit-1368 > > topic/jsiwek/bit-1373 > > topic/jsiwek/bit-1376 > > topic/jsiwek/bit-1384 > > topic/jsiwek/bit-1408 > > topic/jsiwek/bit-342 > > topic/jsiwek/bit-348 > > topic/jsiwek/bit-788 > > topic/jsiwek/bit-844 > > topic/jsiwek/broccoli-vectors > > topic/jsiwek/broker > > topic/jsiwek/broxygen > > topic/jsiwek/coverity > > topic/jsiwek/deprecation > > topic/jsiwek/dnp3-udp > > topic/jsiwek/dns-perf > > topic/jsiwek/dns_fake > > topic/jsiwek/faf-perf > > topic/jsiwek/faster-val-clone > > topic/jsiwek/file-reassembly-merge > > topic/jsiwek/file-signatures > > topic/jsiwek/flip-roles > > topic/jsiwek/gre > > topic/jsiwek/http-file-id-caching > > topic/jsiwek/improve-type-checks > > topic/jsiwek/improve_comm_loop > > topic/jsiwek/jemalloc > > topic/jsiwek/jj-bugs > > topic/jsiwek/libmagic-integration > > topic/jsiwek/mime-multipart-boundary-leniency > > topic/jsiwek/misc-fixes > > topic/jsiwek/missing-pac-deps > > topic/jsiwek/missing-plugin > > topic/jsiwek/new-libmagic > > topic/jsiwek/odesc-escaping > > topic/jsiwek/outer_param_binding > > topic/jsiwek/parse-only > > topic/jsiwek/pktsrc-idle > > topic/jsiwek/remove-val-attribs > > topic/jsiwek/review-rafael-bro-manual-changes > > topic/jsiwek/snmp > > topic/jsiwek/socks-authentication > > topic/jsiwek/string-slicing-fix > > topic/jsiwek/tcp-improvements > > topic/jsiwek/while > > topic/matthias/bloomfilter-fix > > topic/rafaelb/new-Bro-Manual-Development-Edition-Update1 > > topic/robin/ascii-escape-normalization > > topic/robin/bit-348-merge > > topic/robin/bpf-vector > > topic/robin/dnp3-merge-v4 > > topic/robin/dynamic-plugins-2.3 > > topic/robin/event-dumper > > topic/robin/http-connect > > topic/robin/modbus-events-merge > > topic/robin/pacf > > topic/robin/pktsrc > > topic/robin/plugin-updates > > topic/robin/reader-writer-plugins > > topic/robin/rework-packets-merge > > topic/robin/smtp-fix > > topic/seth/ascii-escape-normalization > > topic/seth/compiler-cleanup > > topic/seth/deflate-missing-headers-fix > > topic/seth/dnp3-wrong-sizeof-argument > > topic/seth/dns-srv-fix > > topic/seth/file-analysis-exe-analyzer > > topic/seth/file-entropy > > topic/seth/files-reassembly-and-mime-updates > > topic/seth/files-tracking > > topic/seth/http-connect > > topic/seth/ie11-software-parsing > > topic/seth/json-formatter > > topic/seth/mime-updates > > topic/seth/modbus_dpd_fix > > topic/seth/more-file-type-ident-fixes > > topic/seth/radiotap > > topic/seth/rdp > > topic/seth/sip-fixes > > topic/seth/snmp > > topic/seth/socks-authentication > > topic/struck/BIT-1277 > > topic/struck/BIT-1287 > > topic/struck/openflow > > topic/vladg/bit-1410 > > topic/vladg/bit-1458 > > topic/vladg/bit-1460 > > topic/vladg/bit-1466 > > topic/vladg/bit-1528 > > topic/vladg/bit-1533 > > topic/vladg/kerberos > > topic/vladg/mysql > > topic/vladg/radius > > topic/vladg/rrsig > > topic/vladg/sip > > topic/vladg/socks_fix > > topic/vladg/ssh > > > > Johanna > > _______________________________________________ > > bro-dev mailing list > > bro-dev at bro.org > > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > > > > > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160426/d697b196/attachment.html From jira at bro-tracker.atlassian.net Tue Apr 26 07:28:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 26 Apr 2016 09:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1560) BroControl unhappy when host dies during shutdown In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1560: --------------------------------- Assignee: Daniel Thayer (was: Jon Schipp) > BroControl unhappy when host dies during shutdown > ------------------------------------------------- > > Key: BIT-1560 > URL: https://bro-tracker.atlassian.net/browse/BIT-1560 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Daniel Thayer > Fix For: 2.5 > > > BroControl currently seems to get rather unhappy if a node crashes while Bro is being shut down. The output is something along these lines (it retries quite a few times and takes a while): > {code} > Error: failed to send stop signal to worker-19-1 > Error: failed to send stop signal to worker-19-2 > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.69 port 22: Connection refused > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.83 port 22: Host is down > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.83 port 22: Host is down > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.83 port 22: Host is down > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.83 port 22: Host is down > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > ssh: connect to host 10.0.1.83 port 22: Host is down > ssh: connect to host 10.0.1.83 port 22: Host is down > ... > ssh: connect to host 10.0.1.83 port 22: Host is down > Error: cannot connect to worker-19-1 > Error: cannot connect to worker-19-2 > Error: 'str' object has no attribute 'type' > [BroControl] > > {code} -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 07:28:01 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 26 Apr 2016 09:28:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1033) add script based on BBN's ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1033: --------------------------------- Assignee: Vlad Grigorescu (was: Jon Schipp) > add script based on BBN's ICMP analyzer > --------------------------------------- > > Key: BIT-1033 > URL: https://bro-tracker.atlassian.net/browse/BIT-1033 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Assignee: Vlad Grigorescu > Priority: Low > Fix For: 2.5 > > Attachments: 0001-add-script-based-on-BBN-s-ICMP-analyzer.patch > > -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 07:29:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 26 Apr 2016 09:29:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-274) Finding lines where redefs occurred In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-274?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-274: -------------------------------- Assignee: (was: Jon Schipp) > Finding lines where redefs occurred > ----------------------------------- > > Key: BIT-274 > URL: https://bro-tracker.atlassian.net/browse/BIT-274 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 1.5.1 > Reporter: Seth Hall > > First, support would need added to Bro for finding all of the lines and scripts where redef's against a certain variable occurred. I would also like to see this support added through broctl. > Here's the scenario... > {noformat} > [BroControl] > find redef ignore_checksums > /usr/local/bro/share/bro/bro.init:360 const ignore_checksums = F &redef; > /usr/local/bro/share/bro/site/local.bro:133 redef ignore_checksums = T; > {noformat} > This is relating to a discussion I had about trouble people have with starting with Bro and the gotcha's encountered from enabling the cluster support. There are so many redef's happening and potentially without the user realizing it. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 07:34:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 26 Apr 2016 09:34:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1521: ------------------------------ Due Date: (was: 14/Jan/16) > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Fix For: 2.5 > > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 07:35:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 26 Apr 2016 09:35:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1444) Connection logging for ESP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1444: ------------------------------ Due Date: (was: 14/Jan/16) > Connection logging for ESP > -------------------------- > > Key: BIT-1444 > URL: https://bro-tracker.atlassian.net/browse/BIT-1444 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jimmy Jones > Assignee: Vlad Grigorescu > Priority: Low > > I'd like to be able to track ESP (IPSec) connections in conn.log. Although ESP is encrypted, the ability to track volumes and pattern of life etc would be beneficial when doing intrusion analysis. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 07:50:00 2016 From: jira at bro-tracker.atlassian.net (llh (JIRA)) Date: Tue, 26 Apr 2016 09:50:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1573) 3 useless EventHandlerPtr in the ARP Analyzer In-Reply-To: References: Message-ID: llh created BIT-1573: ------------------------ Summary: 3 useless EventHandlerPtr in the ARP Analyzer Key: BIT-1573 URL: https://bro-tracker.atlassian.net/browse/BIT-1573 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Reporter: llh Priority: Trivial The class analyzer::arp::ARP_Analyzer declared in the file src/analyzer/protocol/arp/ARP.h declares 3 protected EventHandlerPtr that are never initialized and never used. What the corresponding source file refer to are the following global variables : * bad_arp * arp_request * arp_reply which are declared as "extern" in the file build/src/analyzer/protocol/arp/events.bif.h which is generated by bifcl from src/analyzer/protocol/arp/events.bif. Fixing this issue is trivial : deleting the 3 lines declaring the unused EventHandlerPtr. The expected improvement is saving 3 bytes of memory and mostly not messing with those who will try to understand the code of this analyzer in the future. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 08:29:04 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 26 Apr 2016 10:29:04 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1573) 3 useless EventHandlerPtr in the ARP Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25902#comment-25902 ] Johanna Amann commented on BIT-1573: ------------------------------------ I might miss something - but it seems that those EventHanderPtrs are initialized in ARP_Analyzer::ARP_Analyzer in ARP.cc (lines 13-15). They are also used to send events later in ARP.cc > 3 useless EventHandlerPtr in the ARP Analyzer > --------------------------------------------- > > Key: BIT-1573 > URL: https://bro-tracker.atlassian.net/browse/BIT-1573 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: llh > Priority: Trivial > > The class analyzer::arp::ARP_Analyzer declared in the file src/analyzer/protocol/arp/ARP.h declares 3 protected EventHandlerPtr that are never initialized and never used. > What the corresponding source file refer to are the following global variables : > * bad_arp > * arp_request > * arp_reply > which are declared as "extern" in the file build/src/analyzer/protocol/arp/events.bif.h which is generated by bifcl from src/analyzer/protocol/arp/events.bif. > Fixing this issue is trivial : deleting the 3 lines declaring the unused EventHandlerPtr. > The expected improvement is saving 3 bytes of memory and mostly not messing with those who will try to understand the code of this analyzer in the future. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 12:33:01 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 26 Apr 2016 14:33:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1449) Wrap Broker Bifs into script-level functions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1449: ---------------------------------- Assignee: Daniel Thayer > Wrap Broker Bifs into script-level functions > -------------------------------------------- > > Key: BIT-1449 > URL: https://bro-tracker.atlassian.net/browse/BIT-1449 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Robin Sommer > Assignee: Daniel Thayer > Fix For: 2.5 > > > When working with Broker in Bro, one currently calls its bifs directly. That works just fine, but is a problem for documentation: the bifs are defined outside of the Broker framework, splitting the information across two places. > We should do here what other framework do: rename the Bifs to have internal-only names ({{__}}) and then provide wrapper functions inside the framework that just forward to those internals ones. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 13:08:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 26 Apr 2016 15:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1574) Please merge topic/johanna/imap-starttls In-Reply-To: References: Message-ID: Johanna Amann created BIT-1574: ---------------------------------- Summary: Please merge topic/johanna/imap-starttls Key: BIT-1574 URL: https://bro-tracker.atlassian.net/browse/BIT-1574 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.5 Please merge topic/johanna/imap-starttls This adds a very rudimentary IMAP analyzer (binpac based), which parses just enough of the protocol to recognize when a server switches to SSL using StartTLS, switching a connection to the SSL analyzer from this point. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 13:08:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 26 Apr 2016 15:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1574) Please merge topic/johanna/imap-starttls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1574?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1574: ------------------------------- Status: Merge Request (was: Open) > Please merge topic/johanna/imap-starttls > ---------------------------------------- > > Key: BIT-1574 > URL: https://bro-tracker.atlassian.net/browse/BIT-1574 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.5 > > > Please merge topic/johanna/imap-starttls > This adds a very rudimentary IMAP analyzer (binpac based), which parses just enough of the protocol to recognize when a server switches to SSL using StartTLS, switching a connection to the SSL analyzer from this point. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 15:17:00 2016 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Tue, 26 Apr 2016 17:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1575) AF_Packet hash in 4.4 is not symmetric anymore, needs a different tactics In-Reply-To: References: Message-ID: Michal Purzynski created BIT-1575: ------------------------------------- Summary: AF_Packet hash in 4.4 is not symmetric anymore, needs a different tactics Key: BIT-1575 URL: https://bro-tracker.atlassian.net/browse/BIT-1575 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Michal Purzynski The AF_Packet in 4.4 and onward has undergone a major redesign and rewrite. In order to make it more generic and correctly support Vlans, GRE tunnels, IPv6, and so on, the hash function has been generalized and is not symmetric anymore. This affacts the af_packet capture plugin. For kernel version 4.2, the following function was used static inline u32 __flow_hash_from_keys(struct flow_keys *keys) /* get a *consistent hash* (*same value on both flow directions*) */ In 4.4 it's jhash2, which is *not* symmetric. This results in splitted connections. static __always_inline u32 __flow_hash_words(const u32 *words, u32 length, u32 keyval) { return jhash2(words, length, keyval); } I have tested this on 4.2, then upgraded to 4.4, observed lots of SAD connections, went back to 4.2. This seems to clarify this design decision https://patchwork.ozlabs.org/patch/467861/ After consulting Suricata developers (thank you, Regit!!) seems like there's a new way to achieve consistent hashing. This method must be implemented for kernels >= 4.4 (maybe others, too). https://lwn.net/Articles/655295/ https://www.kernel.org/doc/Documentation/networking/filter.txt eBPF fanout mode, so you write a filter and it af_packet respects hashing from it. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 15:52:00 2016 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Tue, 26 Apr 2016 17:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1575) AF_Packet hash in 4.4 is not symmetric anymore, needs a different tactics In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25903#comment-25903 ] Jan Grashoefer commented on BIT-1575: ------------------------------------- As 4.2 and 4.4 both call the [__flow_hash_consistentify|http://lxr.free-electrons.com/source/net/core/flow_dissector.c#L575] function, I am not yet convinced this isn't a bug. I will try to further investigate this. However, supporting BPF for load-balancing is a great feature anyway. > AF_Packet hash in 4.4 is not symmetric anymore, needs a different tactics > ------------------------------------------------------------------------- > > Key: BIT-1575 > URL: https://bro-tracker.atlassian.net/browse/BIT-1575 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > > The AF_Packet in 4.4 and onward has undergone a major redesign and rewrite. > In order to make it more generic and correctly support Vlans, GRE tunnels, IPv6, and so on, the hash function has been generalized and is not symmetric anymore. > This affacts the af_packet capture plugin. > For kernel version 4.2, the following function was used > static inline u32 __flow_hash_from_keys(struct flow_keys *keys) > /* get a *consistent hash* (*same value on both flow directions*) */ > In 4.4 it's jhash2, which is *not* symmetric. This results in splitted connections. > static __always_inline u32 __flow_hash_words(const u32 *words, u32 length, u32 keyval) > { > return jhash2(words, length, keyval); > } > I have tested this on 4.2, then upgraded to 4.4, observed lots of SAD connections, went back to 4.2. > This seems to clarify this design decision > https://patchwork.ozlabs.org/patch/467861/ > After consulting Suricata developers (thank you, Regit!!) seems like there's a new way to achieve consistent hashing. This method must be implemented for kernels >= 4.4 (maybe others, too). > https://lwn.net/Articles/655295/ > https://www.kernel.org/doc/Documentation/networking/filter.txt > eBPF fanout mode, so you write a filter and it af_packet respects hashing from it. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 22:51:02 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 27 Apr 2016 00:51:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1449) Wrap Broker Bifs into script-level functions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25904#comment-25904 ] Daniel Thayer commented on BIT-1449: ------------------------------------ Branch "topic/dnthayer/ticket1449" in the bro git repo contains these changes, and also some improvements to some broker tests. > Wrap Broker Bifs into script-level functions > -------------------------------------------- > > Key: BIT-1449 > URL: https://bro-tracker.atlassian.net/browse/BIT-1449 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Robin Sommer > Assignee: Daniel Thayer > Fix For: 2.5 > > > When working with Broker in Bro, one currently calls its bifs directly. That works just fine, but is a problem for documentation: the bifs are defined outside of the Broker framework, splitting the information across two places. > We should do here what other framework do: rename the Bifs to have internal-only names ({{__}}) and then provide wrapper functions inside the framework that just forward to those internals ones. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Tue Apr 26 22:54:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 27 Apr 2016 00:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1449) Wrap Broker Bifs into script-level functions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1449: ------------------------------- Status: Merge Request (was: Open) Assignee: (was: Daniel Thayer) > Wrap Broker Bifs into script-level functions > -------------------------------------------- > > Key: BIT-1449 > URL: https://bro-tracker.atlassian.net/browse/BIT-1449 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Robin Sommer > Fix For: 2.5 > > > When working with Broker in Bro, one currently calls its bifs directly. That works just fine, but is a problem for documentation: the bifs are defined outside of the Broker framework, splitting the information across two places. > We should do here what other framework do: rename the Bifs to have internal-only names ({{__}}) and then provide wrapper functions inside the framework that just forward to those internals ones. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From noreply at bro.org Wed Apr 27 00:00:32 2016 From: noreply at bro.org (Merge Tracker) Date: Wed, 27 Apr 2016 00:00:32 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604270700.u3R70WId031295@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1574 [1] Bro Johanna Amann - 2016-04-26 2.5 Normal Please merge topic/johanna/imap-starttls BIT-1572 [2] Bro Johanna Amann - 2016-04-25 2.5 Normal Please merge topic/johanna/intel-uid-fuid BIT-1564 [3] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1549 [4] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [5] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [6] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1449 [7] Bro Robin Sommer - 2016-04-27 2.5 Normal Wrap Broker Bifs into script-level functions Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- --------------------------------------------- 23d2562 [8] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [9] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [10] bro J-Gras [11] 2016-04-07 Fixed matching mail address intel [12] #22 [13] bro-plugins nickwallen [14] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [15] #18 [16] bro-plugins jshlbrd [17] 2016-03-03 SSDP analyzer [18] [1] BIT-1574 https://bro-tracker.atlassian.net/browse/BIT-1574 [2] BIT-1572 https://bro-tracker.atlassian.net/browse/BIT-1572 [3] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [4] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [5] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [6] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [7] BIT-1449 https://bro-tracker.atlassian.net/browse/BIT-1449 [8] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [9] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [10] Pull Request #52 https://github.com/bro/bro/pull/52 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [13] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [14] nickwallen https://github.com/nickwallen [15] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [16] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [17] jshlbrd https://github.com/jshlbrd [18] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Wed Apr 27 02:04:02 2016 From: jira at bro-tracker.atlassian.net (llh (JIRA)) Date: Wed, 27 Apr 2016 04:04:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1573) 3 useless EventHandlerPtr in the ARP Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=26000#comment-26000 ] llh commented on BIT-1573: -------------------------- I did make a successful test without the 3 lines. As I said in the description, the event handler pointers used and initialized are those declared in events.bif.h. Should you doubt about it, you can see that the event handler pointer ARP_Analyzer::arp_corrupted_packet is never referred to in the entire project, whereas the definitions of the functions of ARP_Analyzer refer to the global variables, including "bad_arp", which might be what the author wanted to name "arp_corrupted_packet". Should I be wrong about removing those lines, it is still a bad idea to have class members with the same name as global variables (here "arp_request" and "arp_reply"). > 3 useless EventHandlerPtr in the ARP Analyzer > --------------------------------------------- > > Key: BIT-1573 > URL: https://bro-tracker.atlassian.net/browse/BIT-1573 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: llh > Priority: Trivial > > The class analyzer::arp::ARP_Analyzer declared in the file src/analyzer/protocol/arp/ARP.h declares 3 protected EventHandlerPtr that are never initialized and never used. > What the corresponding source file refer to are the following global variables : > * bad_arp > * arp_request > * arp_reply > which are declared as "extern" in the file build/src/analyzer/protocol/arp/events.bif.h which is generated by bifcl from src/analyzer/protocol/arp/events.bif. > Fixing this issue is trivial : deleting the 3 lines declaring the unused EventHandlerPtr. > The expected improvement is saving 3 bytes of memory and mostly not messing with those who will try to understand the code of this analyzer in the future. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Wed Apr 27 06:53:01 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 27 Apr 2016 08:53:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1573) 3 useless EventHandlerPtr in the ARP Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1573?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1573: ------------------------------- Resolution: Fixed Status: Closed (was: Open) > 3 useless EventHandlerPtr in the ARP Analyzer > --------------------------------------------- > > Key: BIT-1573 > URL: https://bro-tracker.atlassian.net/browse/BIT-1573 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: llh > Priority: Trivial > > The class analyzer::arp::ARP_Analyzer declared in the file src/analyzer/protocol/arp/ARP.h declares 3 protected EventHandlerPtr that are never initialized and never used. > What the corresponding source file refer to are the following global variables : > * bad_arp > * arp_request > * arp_reply > which are declared as "extern" in the file build/src/analyzer/protocol/arp/events.bif.h which is generated by bifcl from src/analyzer/protocol/arp/events.bif. > Fixing this issue is trivial : deleting the 3 lines declaring the unused EventHandlerPtr. > The expected improvement is saving 3 bytes of memory and mostly not messing with those who will try to understand the code of this analyzer in the future. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Wed Apr 27 06:53:01 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 27 Apr 2016 08:53:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1573) 3 useless EventHandlerPtr in the ARP Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=26001#comment-26001 ] Johanna Amann commented on BIT-1573: ------------------------------------ You are right; this is fixed in 3a70289e91b09640cda77a0534aa997a15fff40f > 3 useless EventHandlerPtr in the ARP Analyzer > --------------------------------------------- > > Key: BIT-1573 > URL: https://bro-tracker.atlassian.net/browse/BIT-1573 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: llh > Priority: Trivial > > The class analyzer::arp::ARP_Analyzer declared in the file src/analyzer/protocol/arp/ARP.h declares 3 protected EventHandlerPtr that are never initialized and never used. > What the corresponding source file refer to are the following global variables : > * bad_arp > * arp_request > * arp_reply > which are declared as "extern" in the file build/src/analyzer/protocol/arp/events.bif.h which is generated by bifcl from src/analyzer/protocol/arp/events.bif. > Fixing this issue is trivial : deleting the 3 lines declaring the unused EventHandlerPtr. > The expected improvement is saving 3 bytes of memory and mostly not messing with those who will try to understand the code of this analyzer in the future. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Wed Apr 27 14:44:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 27 Apr 2016 16:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1576) broctl error when unable to create bro pid file In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1576: ---------------------------------- Summary: broctl error when unable to create bro pid file Key: BIT-1576 URL: https://bro-tracker.atlassian.net/browse/BIT-1576 Project: Bro Issue Tracker Issue Type: Task Components: BroControl Reporter: Daniel Thayer Fix For: 2.5 If the run-bro script cannot create a pid file for any reason, then the "start" helper script gets stuck in an infinite loop waiting for run-bro to create a pid file. The "start" script will eventually be terminated by ssh_runner but at that point one or more Bro processes will be running and broctl won't know about them. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From noreply at bro.org Thu Apr 28 00:00:21 2016 From: noreply at bro.org (Merge Tracker) Date: Thu, 28 Apr 2016 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604280700.u3S70LQm015839@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------------------------------- BIT-1574 [1] Bro Johanna Amann - 2016-04-26 2.5 Normal Please merge topic/johanna/imap-starttls BIT-1572 [2] Bro Johanna Amann - 2016-04-25 2.5 Normal Please merge topic/johanna/intel-uid-fuid BIT-1564 [3] BroControl Scott Knick Justin Azoff 2016-04-07 2.5 Low BroControl incorrectly references ok attribute of results even when None type is returned BIT-1549 [4] BroControl Daniel Thayer Justin Azoff 2016-04-01 2.5 Normal broctl top command doesn't work on OS X 10.10 or newer BIT-1510 [5] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [6] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly BIT-1449 [7] Bro Robin Sommer - 2016-04-27 2.5 Normal Wrap Broker Bifs into script-level functions Open Fastpath Commits ====================== Commit Component Author Date Summary ------------ ----------- ------------- ---------- --------------------------------------------- 362bf7a [8] bro Daniel Thayer 2016-04-27 Update docs and tests of the fmt() function 23d2562 [9] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [10] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [11] bro J-Gras [12] 2016-04-07 Fixed matching mail address intel [13] #22 [14] bro-plugins nickwallen [15] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [16] #18 [17] bro-plugins jshlbrd [18] 2016-03-03 SSDP analyzer [19] [1] BIT-1574 https://bro-tracker.atlassian.net/browse/BIT-1574 [2] BIT-1572 https://bro-tracker.atlassian.net/browse/BIT-1572 [3] BIT-1564 https://bro-tracker.atlassian.net/browse/BIT-1564 [4] BIT-1549 https://bro-tracker.atlassian.net/browse/BIT-1549 [5] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [6] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [7] BIT-1449 https://bro-tracker.atlassian.net/browse/BIT-1449 [8] 362bf7a https://github.com/bro/bro/commit/362bf7aee12814781ef97242accb176423cd2a64 [9] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [10] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [11] Pull Request #52 https://github.com/bro/bro/pull/52 [12] J-Gras https://github.com/J-Gras [13] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [14] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [15] nickwallen https://github.com/nickwallen [16] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [17] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [18] jshlbrd https://github.com/jshlbrd [19] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Thu Apr 28 07:50:01 2016 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Thu, 28 Apr 2016 09:50:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1575) AF_Packet hash in 4.4 is not symmetric anymore, needs a different tactics In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=26002#comment-26002 ] Jan Grashoefer commented on BIT-1575: ------------------------------------- For the record: I was not able to reproduce this on 4.4.7-300.fc23.x86_64 monitoring small amounts of IPv4 traffic. > AF_Packet hash in 4.4 is not symmetric anymore, needs a different tactics > ------------------------------------------------------------------------- > > Key: BIT-1575 > URL: https://bro-tracker.atlassian.net/browse/BIT-1575 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > > The AF_Packet in 4.4 and onward has undergone a major redesign and rewrite. > In order to make it more generic and correctly support Vlans, GRE tunnels, IPv6, and so on, the hash function has been generalized and is not symmetric anymore. > This affacts the af_packet capture plugin. > For kernel version 4.2, the following function was used > static inline u32 __flow_hash_from_keys(struct flow_keys *keys) > /* get a *consistent hash* (*same value on both flow directions*) */ > In 4.4 it's jhash2, which is *not* symmetric. This results in splitted connections. > static __always_inline u32 __flow_hash_words(const u32 *words, u32 length, u32 keyval) > { > return jhash2(words, length, keyval); > } > I have tested this on 4.2, then upgraded to 4.4, observed lots of SAD connections, went back to 4.2. > This seems to clarify this design decision > https://patchwork.ozlabs.org/patch/467861/ > After consulting Suricata developers (thank you, Regit!!) seems like there's a new way to achieve consistent hashing. This method must be implemented for kernels >= 4.4 (maybe others, too). > https://lwn.net/Articles/655295/ > https://www.kernel.org/doc/Documentation/networking/filter.txt > eBPF fanout mode, so you write a filter and it af_packet respects hashing from it. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 08:10:00 2016 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Thu, 28 Apr 2016 10:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1577) Fix minor spelling errors In-Reply-To: References: Message-ID: Jeannette Dopheide created BIT-1577: --------------------------------------- Summary: Fix minor spelling errors Key: BIT-1577 URL: https://bro-tracker.atlassian.net/browse/BIT-1577 Project: Bro Issue Tracker Issue Type: Task Components: Bro Reporter: Jeannette Dopheide Assignee: Jeannette Dopheide Fixing minor spelling errors in Bro 2.4.1 found here: https://lintian.debian.org/full/bengen at debian.org.html#bro_2.4.1_x2bdfsg-2 Repository : ssh://git at bro-ids.icir.org/bro On branch : topic/jdopheid/typos Link : https://github.com/bro/bro/commit/6dddd35d218583014938c2ee732cb6a1dfdee0f2 --------------------------------------------------------------- commit 6dddd35d218583014938c2ee732cb6a1dfdee0f2 Author: Jeannette Dopheide Date: Mon Apr 25 11:49:04 2016 -0500 Correcting spelling errors found under bro 2.4.1+dfsg-2 here: https://lintian.debian.org/full/bengen at debian.org.html#bro_2.4.1_x2bdfsg-2 --------------------------------------------------------------- 6dddd35d218583014938c2ee732cb6a1dfdee0f2 src/RuleCondition.cc | 2 +- src/RuleMatcher.cc | 2 +- src/Serializer.cc | 2 +- src/StateAccess.cc | 2 +- src/broxygen/Configuration.cc | 2 +- src/nb_dns.c | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index 68eb131..40ef5f0 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -111,7 +111,7 @@ bool RuleConditionPayloadSize::DoMatch(Rule* rule, RuleEndpointState* state, return payload_size >= val; default: - reporter->InternalError("unknown comparision type"); + reporter->InternalError("unknown comparison type"); } // Should not be reached diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index f40a5c4..f5b5b82 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -21,7 +21,7 @@ // it may fail to match. Work-around: Insert an always // matching "payload" pattern (not done in snort2bro yet) // - tcp-state always evaluates to true -// (implemented but deactivated for comparision to Snort) +// (implemented but deactivated for comparison to Snort) uint32 RuleHdrTest::idcounter = 0; diff --git a/src/Serializer.cc b/src/Serializer.cc index 49e57c0..5c1ae60 100644 --- a/src/Serializer.cc +++ b/src/Serializer.cc @@ -437,7 +437,7 @@ bool Serializer::UnserializeCall(UnserialInfo* info) bool Serializer::UnserializeStateAccess(UnserialInfo* info) { - SetErrorDescr("unserializing state acess"); + SetErrorDescr("unserializing state access"); StateAccess* s = StateAccess::Unserialize(info); diff --git a/src/StateAccess.cc b/src/StateAccess.cc index aa4a1f3..6e73c8c 100644 --- a/src/StateAccess.cc +++ b/src/StateAccess.cc @@ -150,7 +150,7 @@ bool StateAccess::CheckOld(const char* op, ID* id, Val* index, if ( should && is ) { - // There's no general comparision for non-atomic vals currently. + // There's no general comparison for non-atomic vals currently. if ( ! (is_atomic_val(is) && is_atomic_val(should)) ) return true; diff --git a/src/broxygen/Configuration.cc b/src/broxygen/Configuration.cc index 264e8e6..4780e6a 100644 --- a/src/broxygen/Configuration.cc +++ b/src/broxygen/Configuration.cc @@ -65,7 +65,7 @@ Config::Config(const string& arg_file, const string& delim) Target* target = target_factory.Create(tokens[0], tokens[2], tokens[1]); if ( ! target ) - reporter->FatalError("unkown Broxygen target type: %s", + reporter->FatalError("unknown Broxygen target type: %s", tokens[0].c_str()); targets.push_back(target); diff --git a/src/nb_dns.c b/src/nb_dns.c index 1e5d427..35059ab 100644 --- a/src/nb_dns.c +++ b/src/nb_dns.c @@ -389,7 +389,7 @@ nb_dns_addr_request2(register struct nb_dns_info *nd, char *addrp, default: snprintf(errstr, NB_DNS_ERRSIZE, - "nb_dns_addr_request2(): uknown address family %d", af); + "nb_dns_addr_request2(): unknown address family %d", af); return (-1); } _______________________________________________ bro-commits mailing list bro-commits at bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 08:10:02 2016 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Thu, 28 Apr 2016 10:10:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1577) Fix minor spelling errors In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeannette Dopheide updated BIT-1577: ------------------------------------ Status: Merge Request (was: Open) Assignee: (was: Jeannette Dopheide) > Fix minor spelling errors > ------------------------- > > Key: BIT-1577 > URL: https://bro-tracker.atlassian.net/browse/BIT-1577 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > > Fixing minor spelling errors in Bro 2.4.1 found here: > https://lintian.debian.org/full/bengen at debian.org.html#bro_2.4.1_x2bdfsg-2 > Repository : ssh://git at bro-ids.icir.org/bro > On branch : topic/jdopheid/typos > Link : https://github.com/bro/bro/commit/6dddd35d218583014938c2ee732cb6a1dfdee0f2 > --------------------------------------------------------------- > commit 6dddd35d218583014938c2ee732cb6a1dfdee0f2 > Author: Jeannette Dopheide > Date: Mon Apr 25 11:49:04 2016 -0500 > Correcting spelling errors found under bro 2.4.1+dfsg-2 here: > > https://lintian.debian.org/full/bengen at debian.org.html#bro_2.4.1_x2bdfsg-2 > --------------------------------------------------------------- > 6dddd35d218583014938c2ee732cb6a1dfdee0f2 > src/RuleCondition.cc | 2 +- > src/RuleMatcher.cc | 2 +- > src/Serializer.cc | 2 +- > src/StateAccess.cc | 2 +- > src/broxygen/Configuration.cc | 2 +- > src/nb_dns.c | 2 +- > 6 files changed, 6 insertions(+), 6 deletions(-) > diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc > index 68eb131..40ef5f0 100644 > --- a/src/RuleCondition.cc > +++ b/src/RuleCondition.cc > @@ -111,7 +111,7 @@ bool RuleConditionPayloadSize::DoMatch(Rule* rule, RuleEndpointState* state, > return payload_size >= val; > default: > - reporter->InternalError("unknown comparision type"); > + reporter->InternalError("unknown comparison type"); > } > // Should not be reached > diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc > index f40a5c4..f5b5b82 100644 > --- a/src/RuleMatcher.cc > +++ b/src/RuleMatcher.cc > @@ -21,7 +21,7 @@ > // it may fail to match. Work-around: Insert an always > // matching "payload" pattern (not done in snort2bro yet) > // - tcp-state always evaluates to true > -// (implemented but deactivated for comparision to Snort) > +// (implemented but deactivated for comparison to Snort) > uint32 RuleHdrTest::idcounter = 0; > diff --git a/src/Serializer.cc b/src/Serializer.cc > index 49e57c0..5c1ae60 100644 > --- a/src/Serializer.cc > +++ b/src/Serializer.cc > @@ -437,7 +437,7 @@ bool Serializer::UnserializeCall(UnserialInfo* info) > bool Serializer::UnserializeStateAccess(UnserialInfo* info) > { > - SetErrorDescr("unserializing state acess"); > + SetErrorDescr("unserializing state access"); > StateAccess* s = StateAccess::Unserialize(info); > diff --git a/src/StateAccess.cc b/src/StateAccess.cc > index aa4a1f3..6e73c8c 100644 > --- a/src/StateAccess.cc > +++ b/src/StateAccess.cc > @@ -150,7 +150,7 @@ bool StateAccess::CheckOld(const char* op, ID* id, Val* index, > if ( should && is ) > { > - // There's no general comparision for non-atomic vals currently. > + // There's no general comparison for non-atomic vals currently. > if ( ! (is_atomic_val(is) && is_atomic_val(should)) ) > return true; > diff --git a/src/broxygen/Configuration.cc b/src/broxygen/Configuration.cc > index 264e8e6..4780e6a 100644 > --- a/src/broxygen/Configuration.cc > +++ b/src/broxygen/Configuration.cc > @@ -65,7 +65,7 @@ Config::Config(const string& arg_file, const string& delim) > Target* target = target_factory.Create(tokens[0], tokens[2], tokens[1]); > if ( ! target ) > - reporter->FatalError("unkown Broxygen target type: %s", > + reporter->FatalError("unknown Broxygen target type: %s", > tokens[0].c_str()); > targets.push_back(target); > diff --git a/src/nb_dns.c b/src/nb_dns.c > index 1e5d427..35059ab 100644 > --- a/src/nb_dns.c > +++ b/src/nb_dns.c > @@ -389,7 +389,7 @@ nb_dns_addr_request2(register struct nb_dns_info *nd, char *addrp, > default: > snprintf(errstr, NB_DNS_ERRSIZE, > - "nb_dns_addr_request2(): uknown address family %d", af); > + "nb_dns_addr_request2(): unknown address family %d", af); > return (-1); > } > _______________________________________________ > bro-commits mailing list > bro-commits at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 09:53:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 28 Apr 2016 11:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1577) Fix minor spelling errors In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1577: ---------------------------------- Assignee: Johanna Amann > Fix minor spelling errors > ------------------------- > > Key: BIT-1577 > URL: https://bro-tracker.atlassian.net/browse/BIT-1577 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > Assignee: Johanna Amann > > Fixing minor spelling errors in Bro 2.4.1 found here: > https://lintian.debian.org/full/bengen at debian.org.html#bro_2.4.1_x2bdfsg-2 > Repository : ssh://git at bro-ids.icir.org/bro > On branch : topic/jdopheid/typos > Link : https://github.com/bro/bro/commit/6dddd35d218583014938c2ee732cb6a1dfdee0f2 > --------------------------------------------------------------- > commit 6dddd35d218583014938c2ee732cb6a1dfdee0f2 > Author: Jeannette Dopheide > Date: Mon Apr 25 11:49:04 2016 -0500 > Correcting spelling errors found under bro 2.4.1+dfsg-2 here: > > https://lintian.debian.org/full/bengen at debian.org.html#bro_2.4.1_x2bdfsg-2 > --------------------------------------------------------------- > 6dddd35d218583014938c2ee732cb6a1dfdee0f2 > src/RuleCondition.cc | 2 +- > src/RuleMatcher.cc | 2 +- > src/Serializer.cc | 2 +- > src/StateAccess.cc | 2 +- > src/broxygen/Configuration.cc | 2 +- > src/nb_dns.c | 2 +- > 6 files changed, 6 insertions(+), 6 deletions(-) > diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc > index 68eb131..40ef5f0 100644 > --- a/src/RuleCondition.cc > +++ b/src/RuleCondition.cc > @@ -111,7 +111,7 @@ bool RuleConditionPayloadSize::DoMatch(Rule* rule, RuleEndpointState* state, > return payload_size >= val; > default: > - reporter->InternalError("unknown comparision type"); > + reporter->InternalError("unknown comparison type"); > } > // Should not be reached > diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc > index f40a5c4..f5b5b82 100644 > --- a/src/RuleMatcher.cc > +++ b/src/RuleMatcher.cc > @@ -21,7 +21,7 @@ > // it may fail to match. Work-around: Insert an always > // matching "payload" pattern (not done in snort2bro yet) > // - tcp-state always evaluates to true > -// (implemented but deactivated for comparision to Snort) > +// (implemented but deactivated for comparison to Snort) > uint32 RuleHdrTest::idcounter = 0; > diff --git a/src/Serializer.cc b/src/Serializer.cc > index 49e57c0..5c1ae60 100644 > --- a/src/Serializer.cc > +++ b/src/Serializer.cc > @@ -437,7 +437,7 @@ bool Serializer::UnserializeCall(UnserialInfo* info) > bool Serializer::UnserializeStateAccess(UnserialInfo* info) > { > - SetErrorDescr("unserializing state acess"); > + SetErrorDescr("unserializing state access"); > StateAccess* s = StateAccess::Unserialize(info); > diff --git a/src/StateAccess.cc b/src/StateAccess.cc > index aa4a1f3..6e73c8c 100644 > --- a/src/StateAccess.cc > +++ b/src/StateAccess.cc > @@ -150,7 +150,7 @@ bool StateAccess::CheckOld(const char* op, ID* id, Val* index, > if ( should && is ) > { > - // There's no general comparision for non-atomic vals currently. > + // There's no general comparison for non-atomic vals currently. > if ( ! (is_atomic_val(is) && is_atomic_val(should)) ) > return true; > diff --git a/src/broxygen/Configuration.cc b/src/broxygen/Configuration.cc > index 264e8e6..4780e6a 100644 > --- a/src/broxygen/Configuration.cc > +++ b/src/broxygen/Configuration.cc > @@ -65,7 +65,7 @@ Config::Config(const string& arg_file, const string& delim) > Target* target = target_factory.Create(tokens[0], tokens[2], tokens[1]); > if ( ! target ) > - reporter->FatalError("unkown Broxygen target type: %s", > + reporter->FatalError("unknown Broxygen target type: %s", > tokens[0].c_str()); > targets.push_back(target); > diff --git a/src/nb_dns.c b/src/nb_dns.c > index 1e5d427..35059ab 100644 > --- a/src/nb_dns.c > +++ b/src/nb_dns.c > @@ -389,7 +389,7 @@ nb_dns_addr_request2(register struct nb_dns_info *nd, char *addrp, > default: > snprintf(errstr, NB_DNS_ERRSIZE, > - "nb_dns_addr_request2(): uknown address family %d", af); > + "nb_dns_addr_request2(): unknown address family %d", af); > return (-1); > } > _______________________________________________ > bro-commits mailing list > bro-commits at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 10:07:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 28 Apr 2016 12:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1574) Please merge topic/johanna/imap-starttls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1574?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1574: --------------------------------- Assignee: Robin Sommer > Please merge topic/johanna/imap-starttls > ---------------------------------------- > > Key: BIT-1574 > URL: https://bro-tracker.atlassian.net/browse/BIT-1574 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > Fix For: 2.5 > > > Please merge topic/johanna/imap-starttls > This adds a very rudimentary IMAP analyzer (binpac based), which parses just enough of the protocol to recognize when a server switches to SSL using StartTLS, switching a connection to the SSL analyzer from this point. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 10:21:01 2016 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Thu, 28 Apr 2016 12:21:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeannette Dopheide updated BIT-1571: ------------------------------------ Fix Version/s: (was: 2,5) 2.5 > Connection summaries w/ IPv6 have poor readabiity > ------------------------------------------------- > > Key: BIT-1571 > URL: https://bro-tracker.atlassian.net/browse/BIT-1571 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: 2.4 > Reporter: Adam Slagell > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt, text.html > > > The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 10:22:01 2016 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Thu, 28 Apr 2016 12:22:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1496) Extend TLS dpd signature In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeannette Dopheide updated BIT-1496: ------------------------------------ Fix Version/s: (was: 2,5) 2.5 > Extend TLS dpd signature > ------------------------ > > Key: BIT-1496 > URL: https://bro-tracker.atlassian.net/browse/BIT-1496 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > Fix For: 2.5 > > > Please merge topic/johanna/tls_early_alert, which extends the TLS dpd signature to allow cases where the server sends a TLS alert before the Server hello. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 10:25:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 28 Apr 2016 12:25:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1449) Wrap Broker Bifs into script-level functions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1449: --------------------------------- Assignee: Robin Sommer > Wrap Broker Bifs into script-level functions > -------------------------------------------- > > Key: BIT-1449 > URL: https://bro-tracker.atlassian.net/browse/BIT-1449 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Robin Sommer > Assignee: Robin Sommer > Fix For: 2.5 > > > When working with Broker in Bro, one currently calls its bifs directly. That works just fine, but is a problem for documentation: the bifs are defined outside of the Broker framework, splitting the information across two places. > We should do here what other framework do: rename the Bifs to have internal-only names ({{__}}) and then provide wrapper functions inside the framework that just forward to those internals ones. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 10:26:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 28 Apr 2016 12:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1449) Wrap Broker Bifs into script-level functions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=26003#comment-26003 ] Robin Sommer commented on BIT-1449: ----------------------------------- Nice, thanks! > Wrap Broker Bifs into script-level functions > -------------------------------------------- > > Key: BIT-1449 > URL: https://bro-tracker.atlassian.net/browse/BIT-1449 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Robin Sommer > Assignee: Robin Sommer > Fix For: 2.5 > > > When working with Broker in Bro, one currently calls its bifs directly. That works just fine, but is a problem for documentation: the bifs are defined outside of the Broker framework, splitting the information across two places. > We should do here what other framework do: rename the Bifs to have internal-only names ({{__}}) and then provide wrapper functions inside the framework that just forward to those internals ones. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 10:28:00 2016 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Thu, 28 Apr 2016 12:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1578) dns_unmatched_msg weird has no connection associated with it In-Reply-To: References: Message-ID: Vlad Grigorescu created BIT-1578: ------------------------------------ Summary: dns_unmatched_msg weird has no connection associated with it Key: BIT-1578 URL: https://bro-tracker.atlassian.net/browse/BIT-1578 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master, 2.4 Reporter: Vlad Grigorescu Assignee: Vlad Grigorescu NCSA has about 3 million weirds for "dns_unmatched_msg" per day. Debugging this issue is very difficult, however, since the weird.log entries don't have uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, or addl set for the weirds. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 10:38:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 28 Apr 2016 12:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1549) broctl top command doesn't work on OS X 10.10 or newer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1549: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > broctl top command doesn't work on OS X 10.10 or newer > ------------------------------------------------------ > > Key: BIT-1549 > URL: https://bro-tracker.atlassian.net/browse/BIT-1549 > Project: Bro Issue Tracker > Issue Type: Task > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > On OS X Mavericks, the broctl top command was working, but on Yosemite > (and El Capitan), it no longer works. The reason is that the > "-stats vprvt" option of the top command always prints "N/A". -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 10:45:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 28 Apr 2016 12:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1564) BroControl incorrectly references ok attribute of results even when None type is returned In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1564?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1564: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > BroControl incorrectly references ok attribute of results even when None type is returned > ----------------------------------------------------------------------------------------- > > Key: BIT-1564 > URL: https://bro-tracker.atlassian.net/browse/BIT-1564 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Scott Knick > Assignee: Justin Azoff > Priority: Low > Fix For: 2.5 > > > The various do_xxxx methods in bin/broctl attempt to reference the "ok" attribute of the results object returned from the BroCtl class' corresponding method. However, these methods can return the None type which has no "ok" attribute. This results in errors like this from BroControl: > {{[root at system spool]# /usr/local/bro/bin/broctl install > error: Unable to do xyz in plugin > Error: 'NoneType' object has no attribute 'ok'}} > I discovered this when returning False from the cmd_install_pre() method of my custom BroControl plugin. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 10:46:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 28 Apr 2016 12:46:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1577) Fix minor spelling errors In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1577: ------------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Merged in f9db0f2e847eaeca028eac2974c709f8e2cb794f > Fix minor spelling errors > ------------------------- > > Key: BIT-1577 > URL: https://bro-tracker.atlassian.net/browse/BIT-1577 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > Assignee: Johanna Amann > > Fixing minor spelling errors in Bro 2.4.1 found here: > https://lintian.debian.org/full/bengen at debian.org.html#bro_2.4.1_x2bdfsg-2 > Repository : ssh://git at bro-ids.icir.org/bro > On branch : topic/jdopheid/typos > Link : https://github.com/bro/bro/commit/6dddd35d218583014938c2ee732cb6a1dfdee0f2 > --------------------------------------------------------------- > commit 6dddd35d218583014938c2ee732cb6a1dfdee0f2 > Author: Jeannette Dopheide > Date: Mon Apr 25 11:49:04 2016 -0500 > Correcting spelling errors found under bro 2.4.1+dfsg-2 here: > > https://lintian.debian.org/full/bengen at debian.org.html#bro_2.4.1_x2bdfsg-2 > --------------------------------------------------------------- > 6dddd35d218583014938c2ee732cb6a1dfdee0f2 > src/RuleCondition.cc | 2 +- > src/RuleMatcher.cc | 2 +- > src/Serializer.cc | 2 +- > src/StateAccess.cc | 2 +- > src/broxygen/Configuration.cc | 2 +- > src/nb_dns.c | 2 +- > 6 files changed, 6 insertions(+), 6 deletions(-) > diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc > index 68eb131..40ef5f0 100644 > --- a/src/RuleCondition.cc > +++ b/src/RuleCondition.cc > @@ -111,7 +111,7 @@ bool RuleConditionPayloadSize::DoMatch(Rule* rule, RuleEndpointState* state, > return payload_size >= val; > default: > - reporter->InternalError("unknown comparision type"); > + reporter->InternalError("unknown comparison type"); > } > // Should not be reached > diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc > index f40a5c4..f5b5b82 100644 > --- a/src/RuleMatcher.cc > +++ b/src/RuleMatcher.cc > @@ -21,7 +21,7 @@ > // it may fail to match. Work-around: Insert an always > // matching "payload" pattern (not done in snort2bro yet) > // - tcp-state always evaluates to true > -// (implemented but deactivated for comparision to Snort) > +// (implemented but deactivated for comparison to Snort) > uint32 RuleHdrTest::idcounter = 0; > diff --git a/src/Serializer.cc b/src/Serializer.cc > index 49e57c0..5c1ae60 100644 > --- a/src/Serializer.cc > +++ b/src/Serializer.cc > @@ -437,7 +437,7 @@ bool Serializer::UnserializeCall(UnserialInfo* info) > bool Serializer::UnserializeStateAccess(UnserialInfo* info) > { > - SetErrorDescr("unserializing state acess"); > + SetErrorDescr("unserializing state access"); > StateAccess* s = StateAccess::Unserialize(info); > diff --git a/src/StateAccess.cc b/src/StateAccess.cc > index aa4a1f3..6e73c8c 100644 > --- a/src/StateAccess.cc > +++ b/src/StateAccess.cc > @@ -150,7 +150,7 @@ bool StateAccess::CheckOld(const char* op, ID* id, Val* index, > if ( should && is ) > { > - // There's no general comparision for non-atomic vals currently. > + // There's no general comparison for non-atomic vals currently. > if ( ! (is_atomic_val(is) && is_atomic_val(should)) ) > return true; > diff --git a/src/broxygen/Configuration.cc b/src/broxygen/Configuration.cc > index 264e8e6..4780e6a 100644 > --- a/src/broxygen/Configuration.cc > +++ b/src/broxygen/Configuration.cc > @@ -65,7 +65,7 @@ Config::Config(const string& arg_file, const string& delim) > Target* target = target_factory.Create(tokens[0], tokens[2], tokens[1]); > if ( ! target ) > - reporter->FatalError("unkown Broxygen target type: %s", > + reporter->FatalError("unknown Broxygen target type: %s", > tokens[0].c_str()); > targets.push_back(target); > diff --git a/src/nb_dns.c b/src/nb_dns.c > index 1e5d427..35059ab 100644 > --- a/src/nb_dns.c > +++ b/src/nb_dns.c > @@ -389,7 +389,7 @@ nb_dns_addr_request2(register struct nb_dns_info *nd, char *addrp, > default: > snprintf(errstr, NB_DNS_ERRSIZE, > - "nb_dns_addr_request2(): uknown address family %d", af); > + "nb_dns_addr_request2(): unknown address family %d", af); > return (-1); > } > _______________________________________________ > bro-commits mailing list > bro-commits at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jan.grashoefer at gmail.com Thu Apr 28 11:18:52 2016 From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=) Date: Thu, 28 Apr 2016 20:18:52 +0200 Subject: [Bro-Dev] Opaque type in plugin Message-ID: <16497b8e-6c14-554f-a940-093ade9bb326@gmail.com> Hi, just a quick question: Is it possible to create a new opaque type for Bro using a dynamic plugin without touching Bro sources? Best regards, Jan From robin at icir.org Thu Apr 28 11:49:05 2016 From: robin at icir.org (Robin Sommer) Date: Thu, 28 Apr 2016 11:49:05 -0700 Subject: [Bro-Dev] Opaque type in plugin In-Reply-To: <16497b8e-6c14-554f-a940-093ade9bb326@gmail.com> References: <16497b8e-6c14-554f-a940-093ade9bb326@gmail.com> Message-ID: <20160428184905.GO50101@icir.org> On Thu, Apr 28, 2016 at 20:18 +0200, you wrote: > Is it possible to create a new opaque type for Bro using a dynamic > plugin without touching Bro sources? Yes, it should. I believe if you implement the logic in your plugin's InitPreScript() method, it should work. Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From jira at bro-tracker.atlassian.net Thu Apr 28 11:50:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 28 Apr 2016 13:50:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=26005#comment-26005 ] Daniel Thayer commented on BIT-1571: ------------------------------------ Branch "topic/dnthayer/ticket1571" in the trace-summary git repo contains the fix for this issue. Now trace-summary just increases the column width as needed when it sees a longer IP address. > Connection summaries w/ IPv6 have poor readabiity > ------------------------------------------------- > > Key: BIT-1571 > URL: https://bro-tracker.atlassian.net/browse/BIT-1571 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: 2.4 > Reporter: Adam Slagell > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt, text.html > > > The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 11:52:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 28 Apr 2016 13:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1571: ------------------------------- Status: Merge Request (was: Open) Assignee: (was: Daniel Thayer) > Connection summaries w/ IPv6 have poor readabiity > ------------------------------------------------- > > Key: BIT-1571 > URL: https://bro-tracker.atlassian.net/browse/BIT-1571 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: 2.4 > Reporter: Adam Slagell > Priority: Low > Fix For: 2.5 > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt, text.html > > > The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 11:54:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 28 Apr 2016 13:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1449) Wrap Broker Bifs into script-level functions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1449: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Wrap Broker Bifs into script-level functions > -------------------------------------------- > > Key: BIT-1449 > URL: https://bro-tracker.atlassian.net/browse/BIT-1449 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Robin Sommer > Assignee: Robin Sommer > Fix For: 2.5 > > > When working with Broker in Bro, one currently calls its bifs directly. That works just fine, but is a problem for documentation: the bifs are defined outside of the Broker framework, splitting the information across two places. > We should do here what other framework do: rename the Bifs to have internal-only names ({{__}}) and then provide wrapper functions inside the framework that just forward to those internals ones. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 11:54:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 28 Apr 2016 13:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1572) Please merge topic/johanna/intel-uid-fuid In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1572: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Please merge topic/johanna/intel-uid-fuid > ----------------------------------------- > > Key: BIT-1572 > URL: https://bro-tracker.atlassian.net/browse/BIT-1572 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.5 > > > Please merge topic/johanna/intel-uid-fuid. > This patch allows users to provide the fuid or the connection id directly, in case they do not have access to either in the event that they handle. > An example for this is the handling of certificates in SSL, where the fa_file record cannot be retained because this would create a cyclic data structure. > This patch also provides file IDs for hostname matches in certificates, which was not possible with the previous API. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Thu Apr 28 11:54:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 28 Apr 2016 13:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1574) Please merge topic/johanna/imap-starttls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1574?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1574: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Please merge topic/johanna/imap-starttls > ---------------------------------------- > > Key: BIT-1574 > URL: https://bro-tracker.atlassian.net/browse/BIT-1574 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > Fix For: 2.5 > > > Please merge topic/johanna/imap-starttls > This adds a very rudimentary IMAP analyzer (binpac based), which parses just enough of the protocol to recognize when a server switches to SSL using StartTLS, switching a connection to the SSL analyzer from this point. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jdopheid at illinois.edu Thu Apr 28 12:03:13 2016 From: jdopheid at illinois.edu (Dopheide, Jeannette M) Date: Thu, 28 Apr 2016 19:03:13 +0000 Subject: [Bro-Dev] which of these Lintian error messages need tickets? Message-ID: <7EFD7D614A2BB84ABEA19B2CEDD246580A73778A@CITESMBX5.ad.uillinois.edu> Hello Bro-Dev, See link: https://lintian.debian.org/full/bengen at debian.org.html#bro_2.4.1_x2bdfsg-2 Below I've listed the errors/alerts associated with the software we develop (e.g., bro, broctl, btests, etc.) and grouped them by error message. Which, if any, of these errors need a ticket to fix? 1. binary file built without LFS support binpac: binary-file-built-without-LFS-support usr/bin/binpac bro (2.4.1+dfsg-2+b3; main): binary-file-built-without-LFS-support usr/bin/bro bro-aux (0.35-1): binary-file-built-without-LFS-support usr/bin/nfcollector 2. binary without manpage binpac (0.44-1): binary-without-manpage usr/bin/binpac usr/bin/binpac btest (0.54-1): binary-without-manpage usr/bin/btest usr/bin/btest-ask-update usr/bin/btest-bg-run usr/bin/btest-bg-run-helper usr/bin/btest-bg-wait usr/bin/btest-diff usr/bin/btest-diff-rst usr/bin/btest-rst-cmd usr/bin/btest-rst-include usr/bin/btest-rst-pipe usr/bin/btest-setsid 3. hardening no bindnow binpac (0.44-1): hardening-no-bindnow usr/bin/binpac usr/bin/binpac bro (2.4.1+dfsg-2+b3; main): hardening-no-bindnow usr/bin/bro usr/bin/bro bro-aux (0.35-1): hardening-no-bindnow usr/bin/adtrace usr/bin/adtrace usr/bin/bro-cut usr/bin/bro-cut usr/bin/ftwire2bro usr/bin/ftwire2bro usr/bin/nfcollector usr/bin/nfcollector usr/bin/rst usr/bin/rst capstats (0.22-1): hardening-no-bindnow usr/bin/capstats usr/bin/capstats 4. hardening no pie binpac (0.44-1): hardening-no-pie usr/bin/binpac usr/bin/binpac bro (2.4.1+dfsg-2+b3; main): hardening-no-pie usr/bin/bro usr/bin/bro bro-aux (0.35-1): hardening-no-pie usr/bin/adtrace usr/bin/adtrace usr/bin/bro-cut usr/bin/bro-cut usr/bin/ftwire2bro usr/bin/ftwire2bro usr/bin/nfcollector usr/bin/nfcollector usr/bin/rst usr/bin/rst capstats (0.22-1): hardening-no-pie usr/bin/capstats usr/bin/capstats 5. no ctrl scripts binpac (0.44-1): no-ctrl-scripts bro (2.4.1+dfsg-2+b3; main): no-ctrl-scripts bro-common: no-ctrl-scripts bro-aux (0.35-1): no-ctrl-scripts capstats (0.22-1): no-ctrl-scripts 6. static library has unneeded section binpac (0.44-1): static-library-has-unneeded-section usr/lib/libbinpac.a(binpac_buffer.cc.o) .comment usr/lib/libbinpac.a(binpac_buffer.cc.o) .comment usr/lib/libbinpac.a(binpac_bytestring.cc.o) .comment usr/lib/libbinpac.a(binpac_bytestring.cc.o) .comment usr/lib/libbinpac.a(binpac_regex.cc.o) .comment usr/lib/libbinpac.a(binpac_regex.cc.o) .comment 7. unused override bro (2.4.1+dfsg-2+b3; main): unused-override description-starts-with-package-name 8. extended description is probably too short bro-common: extended-description-is-probably-too-short 9. ctrl script (is this really an error? it doesn't seem like one) broctl (1.4-1): ctrl-script postinst prerm btest (0.54-1): ctrl-script postinst prerm 10. vcs field uses insecure uri trace-summary (0.84-1): vcs-field-uses-insecure-uri vcs-browser http://anonscm.debian.org/cgit/collab-maint/trace-summary.git vcs-git git://anonscm.debian.org/collab-maint/trace-summary.git ------ Jeannette M. Dopheide Bro Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160428/c5d703e4/attachment-0001.html From robin at icir.org Thu Apr 28 13:27:21 2016 From: robin at icir.org (Robin Sommer) Date: Thu, 28 Apr 2016 13:27:21 -0700 Subject: [Bro-Dev] Timing regression? In-Reply-To: <04727CD0-D8C3-4EA6-A22E-0160B2BC78B9@icir.org> References: <20160414185219.GP64671@icir.org> <5463EB78-21D9-4BAE-88D0-8DB31F5CCE90@icir.org> <20160420194913.GL69000@icir.org> <04727CD0-D8C3-4EA6-A22E-0160B2BC78B9@icir.org> Message-ID: <20160428202721.GQ50101@icir.org> On Tue, Apr 26, 2016 at 01:23 -0400, you wrote: > That was my thought too. I'll have to look into DFA state creations > to see if we've walked into that problem again. Turns out it's the entropy analysis. The change below makes execution times go down again. That seems ok then? It's an optional policy script that the regression testing pulls in, but users won't see a difference unless they decide to load the script -- in which case it's reasonable to expect a performance impact due to doing additional analysis. Robin --------- cut ------------------------------------------------------- diff --git a/scripts/policy/frameworks/files/entropy-test-all-files.bro b/scripts/policy/frameworks/files/entropy-test-all-files.bro index fd02b9e..f66e2e9 100644 --- a/scripts/policy/frameworks/files/entropy-test-all-files.bro +++ b/scripts/policy/frameworks/files/entropy-test-all-files.bro @@ -11,10 +11,10 @@ export { event file_new(f: fa_file) { - Files::add_analyzer(f, Files::ANALYZER_ENTROPY); + # Files::add_analyzer(f, Files::ANALYZER_ENTROPY); } -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From noreply at bro.org Fri Apr 29 00:00:20 2016 From: noreply at bro.org (Merge Tracker) Date: Fri, 29 Apr 2016 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604290700.u3T70K6f026803@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ------------------------------------------------------ BIT-1571 [1] BroControl Adam Slagell - 2016-04-28 2.5 Low Connection summaries w/ IPv6 have poor readabiity BIT-1510 [2] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [3] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ------------------------------------------------------- 373c872 [4] bro Daniel Thayer 2016-04-29 Fix a few incorrect type tags in Bro broker source code 362bf7a [5] bro Daniel Thayer 2016-04-27 Update docs and tests of the fmt() function 23d2562 [6] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [7] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [8] bro J-Gras [9] 2016-04-07 Fixed matching mail address intel [10] #22 [11] bro-plugins nickwallen [12] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [13] #18 [14] bro-plugins jshlbrd [15] 2016-03-03 SSDP analyzer [16] [1] BIT-1571 https://bro-tracker.atlassian.net/browse/BIT-1571 [2] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [3] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [4] 373c872 https://github.com/bro/bro/commit/373c872e939f97c498b029cd08d4b24c0ab71c70 [5] 362bf7a https://github.com/bro/bro/commit/362bf7aee12814781ef97242accb176423cd2a64 [6] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [7] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [8] Pull Request #52 https://github.com/bro/bro/pull/52 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [11] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [12] nickwallen https://github.com/nickwallen [13] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [14] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [15] jshlbrd https://github.com/jshlbrd [16] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Fri Apr 29 13:54:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 29 Apr 2016 15:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1579) Please merge topic/johanna/xmpp-starttls In-Reply-To: References: Message-ID: Johanna Amann created BIT-1579: ---------------------------------- Summary: Please merge topic/johanna/xmpp-starttls Key: BIT-1579 URL: https://bro-tracker.atlassian.net/browse/BIT-1579 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.5 Please merge topic/johanna/xmpp-starttls This branch adds very basic support for XMPP, just up to the point when SSL encryption starts, when it switches to the SSL analyzer. Similar to the case of IMAP, this allows us to extract certificates from xmpp sessions that are upgraded. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Fri Apr 29 13:54:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 29 Apr 2016 15:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1579) Please merge topic/johanna/xmpp-starttls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1579: ------------------------------- Status: Merge Request (was: Open) > Please merge topic/johanna/xmpp-starttls > ----------------------------------------- > > Key: BIT-1579 > URL: https://bro-tracker.atlassian.net/browse/BIT-1579 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.5 > > > Please merge topic/johanna/xmpp-starttls > This branch adds very basic support for XMPP, just up to the point when SSL encryption starts, when it switches to the SSL analyzer. Similar to the case of IMAP, this allows us to extract certificates from xmpp sessions that are upgraded. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From noreply at bro.org Sat Apr 30 00:00:21 2016 From: noreply at bro.org (Merge Tracker) Date: Sat, 30 Apr 2016 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201604300700.u3U70L6V002007@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ------------------------------------------------------ BIT-1579 [1] Bro Johanna Amann - 2016-04-29 2.5 Normal Please merge topic/johanna/xmpp-starttls BIT-1571 [2] BroControl Adam Slagell - 2016-04-28 2.5 Low Connection summaries w/ IPv6 have poor readabiity BIT-1510 [3] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [4] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ------------------------------------------------------- 373c872 [5] bro Daniel Thayer 2016-04-29 Fix a few incorrect type tags in Bro broker source code 362bf7a [6] bro Daniel Thayer 2016-04-27 Update docs and tests of the fmt() function 23d2562 [7] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [8] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [9] bro J-Gras [10] 2016-04-07 Fixed matching mail address intel [11] #22 [12] bro-plugins nickwallen [13] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [14] #18 [15] bro-plugins jshlbrd [16] 2016-03-03 SSDP analyzer [17] [1] BIT-1579 https://bro-tracker.atlassian.net/browse/BIT-1579 [2] BIT-1571 https://bro-tracker.atlassian.net/browse/BIT-1571 [3] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [4] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [5] 373c872 https://github.com/bro/bro/commit/373c872e939f97c498b029cd08d4b24c0ab71c70 [6] 362bf7a https://github.com/bro/bro/commit/362bf7aee12814781ef97242accb176423cd2a64 [7] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [8] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [9] Pull Request #52 https://github.com/bro/bro/pull/52 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [12] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [13] nickwallen https://github.com/nickwallen [14] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [15] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [16] jshlbrd https://github.com/jshlbrd [17] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp From jira at bro-tracker.atlassian.net Sat Apr 30 12:38:00 2016 From: jira at bro-tracker.atlassian.net (Malware Utkonos (JIRA)) Date: Sat, 30 Apr 2016 14:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1580) Add ipv6 detection to conn.log In-Reply-To: References: Message-ID: Malware Utkonos created BIT-1580: ------------------------------------ Summary: Add ipv6 detection to conn.log Key: BIT-1580 URL: https://bro-tracker.atlassian.net/browse/BIT-1580 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 2.4 Reporter: Malware Utkonos This is an additional column added to conn.log to determine if the connection is using ipv6. The address itself makes this clear, but it is much easier to grep for T/F than examining the address. Pull request with patch: https://github.com/bro/bro/pull/70 -- This message was sent by Atlassian JIRA (v1000.5.0#72002) From jira at bro-tracker.atlassian.net Sat Apr 30 20:35:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Sat, 30 Apr 2016 22:35:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1580) Add ipv6 detection to conn.log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1580?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1580: ------------------------------- Resolution: Won't Do Status: Closed (was: Open) Just to repeat the commont from the github pull request here: Hi, thank you very much for your pull request. Since this change only adds an additional field of data, which can already be deduced by the data that is present in conn.log, I do not think this is something we will want to add to the base scripts. While it might be convenient to have this for easy grepping in some cases, people who need this can easily add it to their own installation as a script that extends the conn.log So - I would encourage you to change this to be a script that extends conn.log and publish it, e.g. in a bro-scripts repository in your github account. We will also create a easy way to add user scripts to bro in the future - things like these might make good candidates to be added to this. > Add ipv6 detection to conn.log > ------------------------------ > > Key: BIT-1580 > URL: https://bro-tracker.atlassian.net/browse/BIT-1580 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.4 > Reporter: Malware Utkonos > Labels: IPv6 > > This is an additional column added to conn.log to determine if the connection is using ipv6. The address itself makes this clear, but it is much easier to grep for T/F than examining the address. > Pull request with patch: > https://github.com/bro/bro/pull/70 -- This message was sent by Atlassian JIRA (v1000.5.0#72002)