[Bro-Dev] [JIRA] (BIT-985) 'tail -f' functionality for file reading in input framework
[ https://bro-tracker.atlassian.net/browse/BIT-985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-985: - Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) 'tail -f' functionality for file reading in input framework --- Key: BIT-985 URL: https://bro-tracker.atlassian.net/browse/BIT-985 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: git/master Reporter: scampbell Assignee: Robin Sommer Priority: Low Fix For: 2.4 Attachments: input.diff, PATCH With the current input framework, file data \- event translation requires that the entire data file be read at bro start time. This can be prohibitive when the file sizes become large ( 1GB ). It would be great to see a file open option that would start reading at the end of the file. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1377) Please merge topic/johanna/conn-threshold
[ https://bro-tracker.atlassian.net/browse/BIT-1377?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1377: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Please merge topic/johanna/conn-threshold - Key: BIT-1377 URL: https://bro-tracker.atlassian.net/browse/BIT-1377 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Robin Sommer Fix For: 2.4 Please merge topic/johanna/conn-threshold. This branch adds a high-level and a low-level API for connection thresholding (packets or bytes). The functions that are exposed to users are: {code} ConnThreshold::set_bytes_threshold(c, [bytes], [direction]); ConnThreshold::set_packets_threshold(c, [packets], [direction]); {code} as well as ConnThreshold::delete_bytes_threshold and ConnThreshold::delete_packets_threshold to delete thresholds. Several thresholds can be added for a single connection; all of them will be raised. The following two events trigger with the thresholds: {code} event ConnThreshold::bytes_threshold_crossed(c: connection, threshold: count, is_orig: bool) event ConnThreshold::packets_threshold_crossed(c: connection, threshold: count, is_orig: bool) {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1375) Please merge topic/johanna/ca-list
[ https://bro-tracker.atlassian.net/browse/BIT-1375?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1375: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Please merge topic/johanna/ca-list -- Key: BIT-1375 URL: https://bro-tracker.atlassian.net/browse/BIT-1375 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Robin Sommer Fix For: 2.4 Please merge topic/johanna/ca-list. This updates the mozilla CA list to the current state and changes a few tests to continue working (CAs that were used in their traces were removed from the CA list). It also fixes the CA list that is used for the external test suite - those traces are kind of old now, more and more of the CAs in them are no longer valid and it does not really make sense to update them on each change... -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters
[ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1333: - Assignee: Seth Hall (was: Robin Sommer) Bro's ASCII logging facilities do not escape escape characters -- Key: BIT-1333 URL: https://bro-tracker.atlassian.net/browse/BIT-1333 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.3 Reporter: Paul Pearce Assignee: Seth Hall Fix For: 2.4 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). * Bro does not however escape \ or ^. * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. Examples: $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }' foo \xc2\xae bar \xc2\xae baz $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }' foo\0bar\0baz $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }' foo ^N bar ^N baz Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters
[ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20306#comment-20306 ] Robin Sommer commented on BIT-1333: --- Assigning this back to Seth for review and merging. Bro's ASCII logging facilities do not escape escape characters -- Key: BIT-1333 URL: https://bro-tracker.atlassian.net/browse/BIT-1333 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.3 Reporter: Paul Pearce Assignee: Seth Hall Fix For: 2.4 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). * Bro does not however escape \ or ^. * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. Examples: $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }' foo \xc2\xae bar \xc2\xae baz $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }' foo\0bar\0baz $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }' foo ^N bar ^N baz Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters
[ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20307#comment-20307 ] Robin Sommer commented on BIT-1333: --- Oh, still need to update external tests actually, just a second. :) Bro's ASCII logging facilities do not escape escape characters -- Key: BIT-1333 URL: https://bro-tracker.atlassian.net/browse/BIT-1333 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.3 Reporter: Paul Pearce Assignee: Seth Hall Fix For: 2.4 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). * Bro does not however escape \ or ^. * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. Examples: $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }' foo \xc2\xae bar \xc2\xae baz $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }' foo\0bar\0baz $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }' foo ^N bar ^N baz Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters
[ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1333: -- Status: Open (was: Merge Request) Bro's ASCII logging facilities do not escape escape characters -- Key: BIT-1333 URL: https://bro-tracker.atlassian.net/browse/BIT-1333 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.3 Reporter: Paul Pearce Assignee: Robin Sommer Fix For: 2.4 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). * Bro does not however escape \ or ^. * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. Examples: $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }' foo \xc2\xae bar \xc2\xae baz $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }' foo\0bar\0baz $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }' foo ^N bar ^N baz Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters
[ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1333: - Assignee: Robin Sommer (was: Seth Hall) Bro's ASCII logging facilities do not escape escape characters -- Key: BIT-1333 URL: https://bro-tracker.atlassian.net/browse/BIT-1333 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.3 Reporter: Paul Pearce Assignee: Robin Sommer Fix For: 2.4 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). * Bro does not however escape \ or ^. * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. Examples: $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }' foo \xc2\xae bar \xc2\xae baz $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }' foo\0bar\0baz $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }' foo ^N bar ^N baz Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate
[ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1331: -- Resolution: Fixed Status: Closed (was: Open) Bro manager crashes when logs rotate Key: BIT-1331 URL: https://bro-tracker.atlassian.net/browse/BIT-1331 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master, 2.4 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method Reporter: Josh Liburdi Assignee: Robin Sommer Fix For: 2.4 The Bro manager crashes when the logs rotate. Workers run fine through this process. stderr.log output: internal error: finish missing /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup $mybro $@ send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate
[ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20313#comment-20313 ] Robin Sommer commented on BIT-1331: --- Should be fixed in 9260638948502c795d34f60c095ca33f74bb106a Bro manager crashes when logs rotate Key: BIT-1331 URL: https://bro-tracker.atlassian.net/browse/BIT-1331 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master, 2.4 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method Reporter: Josh Liburdi Assignee: Robin Sommer Fix For: 2.4 The Bro manager crashes when the logs rotate. Workers run fine through this process. stderr.log output: internal error: finish missing /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup $mybro $@ send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters
[ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20302#comment-20302 ] Robin Sommer commented on BIT-1333: --- I can see doing this generally for logging. So would it work if we did the backslash escaping for logging, but stayed with my suggestion above for print and other script-land stuff? Bro's ASCII logging facilities do not escape escape characters -- Key: BIT-1333 URL: https://bro-tracker.atlassian.net/browse/BIT-1333 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.3 Reporter: Paul Pearce Assignee: Robin Sommer Fix For: 2.4 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). * Bro does not however escape \ or ^. * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. Examples: $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }' foo \xc2\xae bar \xc2\xae baz $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }' foo\0bar\0baz $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }' foo ^N bar ^N baz Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters
[ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20300#comment-20300 ] Robin Sommer commented on BIT-1333: --- I don't think this is quite right yet: we can't really generally escape backslashes on print. If we did, we'd get for example this: {code} # cat a.bro event bro_init() { local a = abc\0def; local b = escape_string(a); print b; } # bro ./a.bro abc\\x00def {code} I.e, the escape_string() inserts \x00, and then the print escapes that backslash. What if we did the backslash escape only on special request, that is when calling escape_string() and simiarl functions? If one wants the reversible representation, one would then need to call such a function; whereas the semantics for a normal print would remain at make sure it doesn't output non-printable characters, without being reversible. Bro's ASCII logging facilities do not escape escape characters -- Key: BIT-1333 URL: https://bro-tracker.atlassian.net/browse/BIT-1333 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.3 Reporter: Paul Pearce Assignee: Robin Sommer Fix For: 2.4 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). * Bro does not however escape \ or ^. * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. Examples: $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }' foo \xc2\xae bar \xc2\xae baz $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }' foo\0bar\0baz $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }' foo ^N bar ^N baz Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers
[ https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1306: -- Resolution: Fixed Status: Closed (was: Open) bro process would get stuck/freeze with myricom drivers --- Key: BIT-1306 URL: https://bro-tracker.atlassian.net/browse/BIT-1306 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Environment: OS: FreeBSD 9.3-RELEASE-p5 OS bro version 2.3-328 git log -1 --format=%H 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f Reporter: Aashish Sharma Assignee: Robin Sommer Labels: bro-git, myricom Fix For: 2.4 When I stop bro (in cluster mode), one of the bro worker process (random) would get stuck and wouldn't shutdown, stop or even be killed using kill -s 9. System has to be ultimately rebooted to remove stuck bro process. On running myri_start_stop I see: # /usr/local/opt/snf/sbin/myri_start_stop stop Removing myri_snf.ko kldunload: can't unload file: Device busy It appears that the myri_snf.ko driver cannot be unloaded because of the stuck bro process. That process still has an open descriptor on the Sniffer device/driver and bro process freezes More details: The bro process is stuck in RNE state R Marks a runnable process. N The process has reduced CPU scheduling priority (see setpriority(2)). E The process is trying to exit. Here is an example: ### stuck process: [bro@01 ~]$ ps auxwww | fgrep 1616 bro1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro broctl/auto when checking for process in proc: [bro@c ~]$ ls -l /proc/1616 ls: /proc/1616: No such file or directory -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers
[ https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20261#comment-20261 ] Robin Sommer commented on BIT-1306: --- Thanks, Keith! Closing ticket. bro process would get stuck/freeze with myricom drivers --- Key: BIT-1306 URL: https://bro-tracker.atlassian.net/browse/BIT-1306 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Environment: OS: FreeBSD 9.3-RELEASE-p5 OS bro version 2.3-328 git log -1 --format=%H 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f Reporter: Aashish Sharma Assignee: Robin Sommer Labels: bro-git, myricom Fix For: 2.4 When I stop bro (in cluster mode), one of the bro worker process (random) would get stuck and wouldn't shutdown, stop or even be killed using kill -s 9. System has to be ultimately rebooted to remove stuck bro process. On running myri_start_stop I see: # /usr/local/opt/snf/sbin/myri_start_stop stop Removing myri_snf.ko kldunload: can't unload file: Device busy It appears that the myri_snf.ko driver cannot be unloaded because of the stuck bro process. That process still has an open descriptor on the Sniffer device/driver and bro process freezes More details: The bro process is stuck in RNE state R Marks a runnable process. N The process has reduced CPU scheduling priority (see setpriority(2)). E The process is trying to exit. Here is an example: ### stuck process: [bro@01 ~]$ ps auxwww | fgrep 1616 bro1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro broctl/auto when checking for process in proc: [bro@c ~]$ ls -l /proc/1616 ls: /proc/1616: No such file or directory -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1372) Clean up ---help
[ https://bro-tracker.atlassian.net/browse/BIT-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1372: -- Resolution: Fixed Status: Closed (was: In Progress) Clean up ---help Key: BIT-1372 URL: https://bro-tracker.atlassian.net/browse/BIT-1372 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Robin Sommer Fix For: 2.4 Remove netflow and DFA cache (plus dead code). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1356) Bro process sticks around after broctl stop
[ https://bro-tracker.atlassian.net/browse/BIT-1356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20258#comment-20258 ] Robin Sommer commented on BIT-1356: --- Can somebody see if 0620bc97 helps? Bro process sticks around after broctl stop --- Key: BIT-1356 URL: https://bro-tracker.atlassian.net/browse/BIT-1356 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 It seems that after running a broctl stop not all bro processes are killed immediately. On our cluster, one of the processes keeps running; I seems like it eventually terminates after all log-compression is done. Is that on purpose or is that a bug? Ps output (on the node running the manager, bro process in first line, including the running compression jobs for completeness): {code} $ ps -ax | grep bro 23353 - IN 20:06.96 /xa/bro/master/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto 24979 - I 0:00.01 bash /xa/bro/master/share/broctl/scripts/archive-log http.2015-03-25-14-40-30.log http 15-03-25_14.40.30 15-03-25_16.29.29 1 ascii 25047 - I 0:00.01 bash /xa/bro/master/share/broctl/scripts/archive-log conn.2015-03-25-14-40-30.log conn 15-03-25_14.40.30 15-03-25_16.29.29 1 ascii 25841 - S 0:00.59 bash /xa/bro/master/share/broctl/scripts/post-terminate /xa/bro/master/spool/manager 29204 0 D+0:00.00 grep bro {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1372) Clean up ---help
[ https://bro-tracker.atlassian.net/browse/BIT-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1372: -- Status: Reopened (was: Closed) Resolution: (was: Fixed) Clean up ---help Key: BIT-1372 URL: https://bro-tracker.atlassian.net/browse/BIT-1372 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Robin Sommer Fix For: 2.4 Remove netflow and DFA cache (plus dead code). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1372) Clean up ---help
[ https://bro-tracker.atlassian.net/browse/BIT-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1372: -- Status: In Progress (was: Reopened) Clean up ---help Key: BIT-1372 URL: https://bro-tracker.atlassian.net/browse/BIT-1372 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Robin Sommer Fix For: 2.4 Remove netflow and DFA cache (plus dead code). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise
[ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-844: Assignee: Robin Sommer UDP payload signature patterns don't match packet-wise -- Key: BIT-844 URL: https://bro-tracker.atlassian.net/browse/BIT-844 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Assignee: Robin Sommer Priority: Low Fix For: 2.4 The docs say: {noformat} Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above. {noformat} But for a UDP connection made up of 2 packets with payloads ' and then , I still need the .* prefix to match on the 2nd: {noformat} signature { ip-proto = udp payload /.*/ event Found } {noformat} Changing the pattern to {{//}} or {{/^/}} results in no match (but does match if I flip order of packets). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac
[ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1361: - Assignee: Robin Sommer New installation of Bro crashes and core dumps with error indicating ssh/binpac --- Key: BIT-1361 URL: https://bro-tracker.atlassian.net/browse/BIT-1361 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.3 Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port Reporter: Ted Llewellyn Assignee: Robin Sommer Labels: binpac, ssh Fix For: 2.4 Attachments: bro-bt-033115.txt diag results: [BroControl] diag [bro] Bro 2.3-633 Linux 3.2.0-4-686-pae No gdb installed. No reporter.log stderr.log listening on eth1, capture length 8192 bytes bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie = t_end_of_data' failed. /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup $mybro $@ stdout.log max memory size (kbytes, -m) unlimited data seg size (kbytes, -d) unlimited virtual memory (kbytes, -v) unlimited core file size (blocks, -c) unlimited .cmdline -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE= .status RUNNING [net_run] No prof.log No packet_filter.log No loaded_scripts.log [BroControl] -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4
[ https://bro-tracker.atlassian.net/browse/BIT-1362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1362: -- Status: Closed (was: Merge Request) topic/dnthayer/fixes-for-2.4 Key: BIT-1362 URL: https://bro-tracker.atlassian.net/browse/BIT-1362 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Assignee: Justin Azoff Fix For: 2.4 The branch topic/dnthayer/fixes-for-2.4 contains fixes that address BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes and improvements. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet
[ https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1364: - Assignee: Jon Siwek Bro does not attach UDP analyzers when signature matches after first packet --- Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Jon Siwek Priority: Low Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1355) Hitting crl+c in broctl gives ugly output
[ https://bro-tracker.atlassian.net/browse/BIT-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20223#comment-20223 ] Robin Sommer commented on BIT-1355: --- Part of BIT-1362. Hitting crl+c in broctl gives ugly output - Key: BIT-1355 URL: https://bro-tracker.atlassian.net/browse/BIT-1355 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 Hitting ctrl+c in broctl results in an ugly stack-trace at the moment: {code} $ broctl warning: new bro version detected (run the broctl deploy command) Welcome to BroControl 1.3-162 Type help for help. [BroControl] Traceback (most recent call last): File /xa/bro/master/bin/broctl, line 777, in module sys.exit(main()) File /xa/bro/master/bin/broctl, line 772, in main cmdsuccess = loop.cmdloop(\nWelcome to BroControl %s\n\nType \help\ for help.\n % version.VERSION) File /xa/bro/master/lib/broctl/BroControl/brocmd.py, line 36, in cmdloop line = py3bro.input(self.prompt) KeyboardInterrupt $ {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1355) Hitting crl+c in broctl gives ugly output
[ https://bro-tracker.atlassian.net/browse/BIT-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1355: -- Resolution: Fixed Status: Closed (was: Open) Hitting crl+c in broctl gives ugly output - Key: BIT-1355 URL: https://bro-tracker.atlassian.net/browse/BIT-1355 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 Hitting ctrl+c in broctl results in an ugly stack-trace at the moment: {code} $ broctl warning: new bro version detected (run the broctl deploy command) Welcome to BroControl 1.3-162 Type help for help. [BroControl] Traceback (most recent call last): File /xa/bro/master/bin/broctl, line 777, in module sys.exit(main()) File /xa/bro/master/bin/broctl, line 772, in main cmdsuccess = loop.cmdloop(\nWelcome to BroControl %s\n\nType \help\ for help.\n % version.VERSION) File /xa/bro/master/lib/broctl/BroControl/brocmd.py, line 36, in cmdloop line = py3bro.input(self.prompt) KeyboardInterrupt $ {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger
[ https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20228#comment-20228 ] Robin Sommer commented on BIT-1329: --- Fixed in BIT-1362. BroControl scripts displays meta-information from bro logger Key: BIT-1329 URL: https://bro-tracker.atlassian.net/browse/BIT-1329 Project: Bro Issue Tracker Issue Type: New Feature Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 When issuing a broctl scripts, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. Example: {code} [BroControl] scripts manager manager scripts are ok. #separator \x09 #set_separator , #empty_field(empty) #unset_field- #path loaded_scripts #open 2015-03-05-13-24-34 #fields name #types string /xa/bro/master/share/bro/base/init-bare.bro /xa/bro/master/share/bro/base/bif/const.bif.bro ... /xa/bro/master/share/bro/broctl/check.bro #close 2015-03-05-13-24-34 {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-631) Special message for broctl locking when done by cron
[ https://bro-tracker.atlassian.net/browse/BIT-631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-631: - Resolution: Fixed Status: Closed (was: Open) Special message for broctl locking when done by cron Key: BIT-631 URL: https://bro-tracker.atlassian.net/browse/BIT-631 Project: Bro Issue Tracker Issue Type: New Feature Components: BroControl Reporter: Seth Hall Assignee: Daniel Thayer Fix For: 2.4 If the broctl lock is being held by the cron command it would be nice if the message that indicates a lock is already held would indicate if it is the cron command. If multiple people are working with broctl the person that gets a lock doesn't know if it's because of another user or because they happened to be trying to do something while the cron command is running. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-931) Ascii writer does not escape empty sets / vectors
[ https://bro-tracker.atlassian.net/browse/BIT-931?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-931: - Fix Version/s: (was: 2.4) 2.5 Ascii writer does not escape empty sets / vectors - Key: BIT-931 URL: https://bro-tracker.atlassian.net/browse/BIT-931 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Seth Hall Fix For: 2.5 The script {noformat} redef LogAscii::empty_field = EMPTY; module SSH; export { redef enum Log::ID += { LOG }; type Log: record { ss: set[string]; } log; } event bro_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::write(SSH::LOG, [ $ss=set(EMPTY) ]); } {noformat} Outputs the line {noformat} EMPTY {noformat} to a log-file. This makes it impossible to distinguish a line containing EMPTY from a line containing an empty set. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1367) Type clashing problem when records with default values are used in sets.
[ https://bro-tracker.atlassian.net/browse/BIT-1367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1367: - Assignee: Robin Sommer Type clashing problem when records with default values are used in sets. Key: BIT-1367 URL: https://bro-tracker.atlassian.net/browse/BIT-1367 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Robin Sommer Labels: logging Fix For: 2.4 topic/johanna/sft-port is a branch that contains a slight modification to the sftp log-rotator, adding the possibility to select the server port with a default value of 20. After adding this small change, the Bro type system is no longer able to figure out that it can coerce the record in cases that previously worked. The default evocation of the sftp log-rotator using: {code} Log::add_filter(Conn::LOG, [$name=test, $path=testconn, $writer=Log::WRITER_ASCII, $interv=1hr, $postprocessor=Log::sftp_postprocessor]); Log::sftp_destinations[Log::WRITER_ASCII,testconn] = set([$user=testuser,$host=testhost,$path=testpath]); {code} or similar leads to {code} type clash in assignment (Log::sftp_destinations[Log::WRITER_ASCII, testconn] = set([$user=testuser, $host=testhost, $path=testpath])) {code} Directly specifying the type of the record works, but would break all other scripts that are using the sftp log rotator currently. Working example: {code} Log::add_filter(Conn::LOG, [$name=test, $path=testconn, $writer=Log::WRITER_ASCII, $interv=1hr, $postprocessor=Log::sftp_postprocessor]); Log::sftp_destinations[Log::WRITER_ASCII,testconn] = set(Log::SFTPDestination($user=testuser,$host=testhost,$path=testpath)); {code} Once this is fixed, topic/johanna/sft-port can be merged. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1367) Type clashing problem when records with default values are used in sets.
[ https://bro-tracker.atlassian.net/browse/BIT-1367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1367: - Assignee: Jon Siwek (was: Robin Sommer) Type clashing problem when records with default values are used in sets. Key: BIT-1367 URL: https://bro-tracker.atlassian.net/browse/BIT-1367 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Jon Siwek Labels: logging Fix For: 2.4 topic/johanna/sft-port is a branch that contains a slight modification to the sftp log-rotator, adding the possibility to select the server port with a default value of 20. After adding this small change, the Bro type system is no longer able to figure out that it can coerce the record in cases that previously worked. The default evocation of the sftp log-rotator using: {code} Log::add_filter(Conn::LOG, [$name=test, $path=testconn, $writer=Log::WRITER_ASCII, $interv=1hr, $postprocessor=Log::sftp_postprocessor]); Log::sftp_destinations[Log::WRITER_ASCII,testconn] = set([$user=testuser,$host=testhost,$path=testpath]); {code} or similar leads to {code} type clash in assignment (Log::sftp_destinations[Log::WRITER_ASCII, testconn] = set([$user=testuser, $host=testhost, $path=testpath])) {code} Directly specifying the type of the record works, but would break all other scripts that are using the sftp log rotator currently. Working example: {code} Log::add_filter(Conn::LOG, [$name=test, $path=testconn, $writer=Log::WRITER_ASCII, $interv=1hr, $postprocessor=Log::sftp_postprocessor]); Log::sftp_destinations[Log::WRITER_ASCII,testconn] = set(Log::SFTPDestination($user=testuser,$host=testhost,$path=testpath)); {code} Once this is fixed, topic/johanna/sft-port can be merged. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1360) Better error message when SpoolDir does not exist
[ https://bro-tracker.atlassian.net/browse/BIT-1360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20221#comment-20221 ] Robin Sommer commented on BIT-1360: --- Included in BIT-1362 Better error message when SpoolDir does not exist - Key: BIT-1360 URL: https://bro-tracker.atlassian.net/browse/BIT-1360 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Priority: Low Fix For: 2.4 Currently, the error message that is given when SpoolDir in broctl.cfg does not exist is rather unhelpful (something in the direction of Cannot open database. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1342) Occasional test failures
[ https://bro-tracker.atlassian.net/browse/BIT-1342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1342: - Assignee: Daniel Thayer Occasional test failures Key: BIT-1342 URL: https://bro-tracker.atlassian.net/browse/BIT-1342 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Robin Sommer Assignee: Daniel Thayer Fix For: 2.4 Two tests in current master fail for me occasionally (usually when I run the full broctl test-suite but not when I rerun just these failing tests). Diag output below. {code} command.start-stop-standalone ... failed % 'btest-diff stop.out' failed unexpectedly (exit code 1) % cat .diag == File === stopping bro ... Exception in thread Thread-1 (most likely raised during interpreter shutdown): Traceback (most recent call last): File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, line File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, line File /usr/lib64/python2.7/Queue.py, line 177, in get File /usr/lib64/python2.7/threading.py, line 354, in wait type 'exceptions.TypeError': 'NoneType' object is not callable == Diff === --- /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-stop-standalone/stop.out 2013-06-01 00:29:07. +++ stop.out 2015-03-17 22:50:01.857838625 + @@ -1 +1,9 @@ stopping bro ... +Exception in thread Thread-1 (most likely raised during interpreter shutdown): +Traceback (most recent call last): + File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner + File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, l + File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, l + File /usr/lib64/python2.7/Queue.py, line 177, in get + File /usr/lib64/python2.7/threading.py, line 354, in wait +type 'exceptions.TypeError': 'NoneType' object is not callable === [...] command.start-cluster-slowstart ... failed % 'btest-diff status2.out' failed unexpectedly (exit code 1) % cat .diag == File === Getting process status ... Getting peer status ... Name TypeHost StatusPidPeers Started manager manager localhoststopped proxy-1 proxy localhoststopped worker-1 worker localhoststopped worker-2 worker localhoststopped == Diff === --- /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-cluster-slowstart/status2.out 2015-03-04 20:16 +++ status2.out 2015-03-17 22:50:26.578618684 + @@ -3,5 +3,5 @@ Name TypeHost StatusPidPeers Started manager manager localhoststopped proxy-1 proxy localhoststopped -worker-1 worker localhostcrashed +worker-1 worker localhoststopped worker-2 worker localhoststopped === {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC
[ https://bro-tracker.atlassian.net/browse/BIT-1336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1336: - Assignee: Seth Hall ElasticSearch indices in UTC Key: BIT-1336 URL: https://bro-tracker.atlassian.net/browse/BIT-1336 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Seth Hall Priority: Trivial Fix For: 2.4 For improved compatibility with Kibana and other ElasticSearch frontends, the timestamps on the Bro indices should be changed to UTC. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger
[ https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1329: -- Resolution: Fixed Status: Closed (was: Reopened) BroControl scripts displays meta-information from bro logger Key: BIT-1329 URL: https://bro-tracker.atlassian.net/browse/BIT-1329 Project: Bro Issue Tracker Issue Type: New Feature Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 When issuing a broctl scripts, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. Example: {code} [BroControl] scripts manager manager scripts are ok. #separator \x09 #set_separator , #empty_field(empty) #unset_field- #path loaded_scripts #open 2015-03-05-13-24-34 #fields name #types string /xa/bro/master/share/bro/base/init-bare.bro /xa/bro/master/share/bro/base/bif/const.bif.bro ... /xa/bro/master/share/bro/broctl/check.bro #close 2015-03-05-13-24-34 {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet
[ https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1364: -- Priority: Low (was: Normal) Bro does not attach UDP analyzers when signature matches after first packet --- Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Priority: Low Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20226#comment-20226 ] Robin Sommer commented on BIT-1339: --- Turns out this needs more discussion, as the right solution isn't quite clear yet. Remove src and dst from notice -- Key: BIT-1339 URL: https://bro-tracker.atlassian.net/browse/BIT-1339 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Seth Hall Assignee: Seth Hall Fix For: 2.5 Email from Brian Kellog... Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. {quote} I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. Here's what I changed/add to some of the built-in detection scripts (Lines with + are what I changed/added): /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro NOTICE([$note=Password_Guessing, $msg=fmt(%s appears to be guessing SSH passwords (seen in %d connections)., key$host, r$num), $sub=sub_msg, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro NOTICE([$note=FTP::Bruteforcing, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro NOTICE([$note=SQL_Injection_Attacker, $msg=An SQL injection attacker was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); … NOTICE([$note=SQL_Injection_Victim, $msg=An SQL injection victim was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/scan.bro NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); … NOTICE([$note=Port_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], + #$dst=to_addr(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro NOTICE([$note=Traceroute::Detected, $msg=fmt(%s seems to be running traceroute using %s, src, proto), + #$src=src, + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], $identifier=cat(src,proto)]); }]); {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1339: -- Fix Version/s: (was: 2.4) 2.5 Remove src and dst from notice -- Key: BIT-1339 URL: https://bro-tracker.atlassian.net/browse/BIT-1339 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Seth Hall Assignee: Seth Hall Fix For: 2.5 Email from Brian Kellog... Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. {quote} I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. Here's what I changed/add to some of the built-in detection scripts (Lines with + are what I changed/added): /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro NOTICE([$note=Password_Guessing, $msg=fmt(%s appears to be guessing SSH passwords (seen in %d connections)., key$host, r$num), $sub=sub_msg, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro NOTICE([$note=FTP::Bruteforcing, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro NOTICE([$note=SQL_Injection_Attacker, $msg=An SQL injection attacker was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); … NOTICE([$note=SQL_Injection_Victim, $msg=An SQL injection victim was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/scan.bro NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); … NOTICE([$note=Port_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], + #$dst=to_addr(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro NOTICE([$note=Traceroute::Detected, $msg=fmt(%s seems to be running traceroute using %s, src, proto), + #$src=src, + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], $identifier=cat(src,proto)]); }]); {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1368) File type identification fixes
[ https://bro-tracker.atlassian.net/browse/BIT-1368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1368: -- Fix Version/s: 2.4 File type identification fixes -- Key: BIT-1368 URL: https://bro-tracker.atlassian.net/browse/BIT-1368 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Seth Hall Assignee: Seth Hall Fix For: 2.4 I have some changes nearly queued up for 2.4 release in the repository (topic/seth/more-file-type-ident-fixes) in the but a bit more work needs to be done. There may be one more breaking change to the files api coming in this branch too. Jon and I discussed some options and I think that creating a new event named file_sniff in place of the file_mime_type event makes sense. We can put the mime type and more sniff originated data in a record on that event so that we can extend it cleanly (and without breaking APIs) in the future. I think it will look something like this: ``` type fa_sniff: record { ## Depth sniffed. depth: count default=0; ## Sniffed mime type if one was discovered. mime_type: string optional; }; event file_sniff(f: fa_file, sniff: fa_sniff) { if ( sniff?$mime_type ) { print sniff$mime_type; } } ``` One other thing this branch will address is a performance degradation from certain file signatures interacting with each other poorly. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated
[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1365: - Assignee: Vlad Grigorescu direction field of SSH::Info no longer populated Key: BIT-1365 URL: https://bro-tracker.atlassian.net/browse/BIT-1365 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Assignee: Vlad Grigorescu Fix For: 2.4 Here's the bug report: {quote} Reporter::ERROR field value missing [SSH::c$ssh$direction] /usr/local/bro/share/bro/policy/protocols/ssh/geo-da ta.bro, line 29 Reporter::WARNING non-void function returns without a value: SSH::get_location (empty) Tracing this back, it looks like the SSH::c$ssh$direction is not being populated. I checked the /base/protocols/ssh/main.bro file and it looks like the function is missing. Looking at https://www.bro.org/sphinx/_downloads/main32.bro and https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro it looks like the function that determined the direction was removed at one point, which looks like it causes the /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1360) Better error message when SpoolDir does not exist
[ https://bro-tracker.atlassian.net/browse/BIT-1360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1360: -- Resolution: Fixed Status: Closed (was: Open) Better error message when SpoolDir does not exist - Key: BIT-1360 URL: https://bro-tracker.atlassian.net/browse/BIT-1360 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Priority: Low Fix For: 2.4 Currently, the error message that is given when SpoolDir in broctl.cfg does not exist is rather unhelpful (something in the direction of Cannot open database. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1349) Broctl stop output is not sorted anymore
[ https://bro-tracker.atlassian.net/browse/BIT-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20225#comment-20225 ] Robin Sommer commented on BIT-1349: --- Fixed in BIT-1362. Broctl stop output is not sorted anymore Key: BIT-1349 URL: https://bro-tracker.atlassian.net/browse/BIT-1349 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Priority: Trivial Fix For: 2.4 Minor: the output of the worker nodes when doing broctl stop is not sorted anymore. We should either sort it (or just skip outputting it altogether) - at the moment it is not really useful; if there is no numerical order it is difficult to see if a number one wants to have in there is missing or not. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1339: - Assignee: (was: Seth Hall) Remove src and dst from notice -- Key: BIT-1339 URL: https://bro-tracker.atlassian.net/browse/BIT-1339 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Seth Hall Fix For: 2.5 Email from Brian Kellog... Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. {quote} I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. Here's what I changed/add to some of the built-in detection scripts (Lines with + are what I changed/added): /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro NOTICE([$note=Password_Guessing, $msg=fmt(%s appears to be guessing SSH passwords (seen in %d connections)., key$host, r$num), $sub=sub_msg, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro NOTICE([$note=FTP::Bruteforcing, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro NOTICE([$note=SQL_Injection_Attacker, $msg=An SQL injection attacker was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); … NOTICE([$note=SQL_Injection_Victim, $msg=An SQL injection victim was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/scan.bro NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); … NOTICE([$note=Port_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], + #$dst=to_addr(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro NOTICE([$note=Traceroute::Detected, $msg=fmt(%s seems to be running traceroute using %s, src, proto), + #$src=src, + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], $identifier=cat(src,proto)]); }]); {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers
[ https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20230#comment-20230 ] Robin Sommer commented on BIT-1306: --- Check the change. bro process would get stuck/freeze with myricom drivers --- Key: BIT-1306 URL: https://bro-tracker.atlassian.net/browse/BIT-1306 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Environment: OS: FreeBSD 9.3-RELEASE-p5 OS bro version 2.3-328 git log -1 --format=%H 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f Reporter: Aashish Sharma Labels: bro-git, myricom Fix For: 2.4 When I stop bro (in cluster mode), one of the bro worker process (random) would get stuck and wouldn't shutdown, stop or even be killed using kill -s 9. System has to be ultimately rebooted to remove stuck bro process. On running myri_start_stop I see: # /usr/local/opt/snf/sbin/myri_start_stop stop Removing myri_snf.ko kldunload: can't unload file: Device busy It appears that the myri_snf.ko driver cannot be unloaded because of the stuck bro process. That process still has an open descriptor on the Sniffer device/driver and bro process freezes More details: The bro process is stuck in RNE state R Marks a runnable process. N The process has reduced CPU scheduling priority (see setpriority(2)). E The process is trying to exit. Here is an example: ### stuck process: [bro@01 ~]$ ps auxwww | fgrep 1616 bro1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro broctl/auto when checking for process in proc: [bro@c ~]$ ls -l /proc/1616 ls: /proc/1616: No such file or directory -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers
[ https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1306: - Assignee: Robin Sommer bro process would get stuck/freeze with myricom drivers --- Key: BIT-1306 URL: https://bro-tracker.atlassian.net/browse/BIT-1306 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Environment: OS: FreeBSD 9.3-RELEASE-p5 OS bro version 2.3-328 git log -1 --format=%H 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f Reporter: Aashish Sharma Assignee: Robin Sommer Labels: bro-git, myricom Fix For: 2.4 When I stop bro (in cluster mode), one of the bro worker process (random) would get stuck and wouldn't shutdown, stop or even be killed using kill -s 9. System has to be ultimately rebooted to remove stuck bro process. On running myri_start_stop I see: # /usr/local/opt/snf/sbin/myri_start_stop stop Removing myri_snf.ko kldunload: can't unload file: Device busy It appears that the myri_snf.ko driver cannot be unloaded because of the stuck bro process. That process still has an open descriptor on the Sniffer device/driver and bro process freezes More details: The bro process is stuck in RNE state R Marks a runnable process. N The process has reduced CPU scheduling priority (see setpriority(2)). E The process is trying to exit. Here is an example: ### stuck process: [bro@01 ~]$ ps auxwww | fgrep 1616 bro1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro broctl/auto when checking for process in proc: [bro@c ~]$ ls -l /proc/1616 ls: /proc/1616: No such file or directory -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate
[ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1331: -- Priority: Normal (was: Low) Bro manager crashes when logs rotate Key: BIT-1331 URL: https://bro-tracker.atlassian.net/browse/BIT-1331 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master, 2.4 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method Reporter: Josh Liburdi Fix For: 2.4 The Bro manager crashes when the logs rotate. Workers run fine through this process. stderr.log output: internal error: finish missing /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup $mybro $@ send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-947) Incorrect size calculation for SSH failed/successful heuristic
[ https://bro-tracker.atlassian.net/browse/BIT-947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-947: - Resolution: Fixed Status: Closed (was: Open) Incorrect size calculation for SSH failed/successful heuristic -- Key: BIT-947 URL: https://bro-tracker.atlassian.net/browse/BIT-947 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Vlad Grigorescu Priority: Low Fix For: 2.4 We're getting a lot of false positives for successful SSH logins from a source that we recently blackholed. I suspect what's happening is that the retransmissions keep bumping up the size of the connection, until it crosses the threshold for a successful connection. With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it possible to improve the accuracy of the reported size? -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-947) Incorrect size calculation for SSH failed/successful heuristic
[ https://bro-tracker.atlassian.net/browse/BIT-947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20232#comment-20232 ] Robin Sommer commented on BIT-947: -- Should be fixed with new SSH code. Incorrect size calculation for SSH failed/successful heuristic -- Key: BIT-947 URL: https://bro-tracker.atlassian.net/browse/BIT-947 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Vlad Grigorescu Priority: Low Fix For: 2.4 We're getting a lot of false positives for successful SSH logins from a source that we recently blackholed. I suspect what's happening is that the retransmissions keep bumping up the size of the connection, until it crosses the threshold for a successful connection. With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it possible to improve the accuracy of the reported size? -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated
[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1365: -- Priority: Low (was: Normal) direction field of SSH::Info no longer populated Key: BIT-1365 URL: https://bro-tracker.atlassian.net/browse/BIT-1365 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Assignee: Vlad Grigorescu Priority: Low Fix For: 2.4 Here's the bug report: {quote} Reporter::ERROR field value missing [SSH::c$ssh$direction] /usr/local/bro/share/bro/policy/protocols/ssh/geo-da ta.bro, line 29 Reporter::WARNING non-void function returns without a value: SSH::get_location (empty) Tracing this back, it looks like the SSH::c$ssh$direction is not being populated. I checked the /base/protocols/ssh/main.bro file and it looks like the function is missing. Looking at https://www.bro.org/sphinx/_downloads/main32.bro and https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro it looks like the function that determined the direction was removed at one point, which looks like it causes the /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated
[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1365: -- Priority: Normal (was: Low) direction field of SSH::Info no longer populated Key: BIT-1365 URL: https://bro-tracker.atlassian.net/browse/BIT-1365 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Assignee: Vlad Grigorescu Fix For: 2.4 Here's the bug report: {quote} Reporter::ERROR field value missing [SSH::c$ssh$direction] /usr/local/bro/share/bro/policy/protocols/ssh/geo-da ta.bro, line 29 Reporter::WARNING non-void function returns without a value: SSH::get_location (empty) Tracing this back, it looks like the SSH::c$ssh$direction is not being populated. I checked the /base/protocols/ssh/main.bro file and it looks like the function is missing. Looking at https://www.bro.org/sphinx/_downloads/main32.bro and https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro it looks like the function that determined the direction was removed at one point, which looks like it causes the /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time
[ https://bro-tracker.atlassian.net/browse/BIT-1353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20224#comment-20224 ] Robin Sommer commented on BIT-1353: --- set timeout to 30s and make configurable, revisit later when Broker is there BroCtl status/top take excessive amount of time --- Key: BIT-1353 URL: https://bro-tracker.atlassian.net/browse/BIT-1353 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 After running a large bro cluster for a few days on a FreeBSD system (FreeBSD 10.1, 28 physical nodes, 81 worker processes), broctl actions that interact with all nodes seem to take excessive amounts of time (2 minutes for a broctl status). This was not the case right after starting up the cluster. If there is any way I can help with more information, please let me know what to do. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate
[ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1331: -- Priority: Low (was: High) Bro manager crashes when logs rotate Key: BIT-1331 URL: https://bro-tracker.atlassian.net/browse/BIT-1331 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master, 2.4 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method Reporter: Josh Liburdi Priority: Low Fix For: 2.4 The Bro manager crashes when the logs rotate. Workers run fine through this process. stderr.log output: internal error: finish missing /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup $mybro $@ send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error'
[ https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1337: - Assignee: Vlad Grigorescu Bro worker crash - terminate after 'std::length_error' -- Key: BIT-1337 URL: https://bro-tracker.atlassian.net/browse/BIT-1337 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Josh Liburdi Assignee: Vlad Grigorescu Fix For: 2.4 Running Bro master with the Kerberos and RDP analyzer branches resulted in one crashed worker on a pf_ring cluster. BroControl diag results below: terminate called after throwing an instance of 'std::length_error' what(): basic_string::_S_create /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted (core dumped) nohup $mybro $@ -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error'
[ https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20227#comment-20227 ] Robin Sommer commented on BIT-1337: --- Let's do a quick sanity check of the code. Bro worker crash - terminate after 'std::length_error' -- Key: BIT-1337 URL: https://bro-tracker.atlassian.net/browse/BIT-1337 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Josh Liburdi Fix For: 2.4 Running Bro master with the Kerberos and RDP analyzer branches resulted in one crashed worker on a pf_ring cluster. BroControl diag results below: terminate called after throwing an instance of 'std::length_error' what(): basic_string::_S_create /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted (core dumped) nohup $mybro $@ -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1154) Formatters restructed in: topic/seth/json-formatter
[ https://bro-tracker.atlassian.net/browse/BIT-1154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1154: - Assignee: Seth Hall Formatters restructed in: topic/seth/json-formatter --- Key: BIT-1154 URL: https://bro-tracker.atlassian.net/browse/BIT-1154 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: 2.4 Reporter: Seth Hall Assignee: Seth Hall Fix For: 2.4 topic/seth/json-formatter has an abstraction for Formatters and I created a formatters directory under threading. There is also a new JSON formatter and support in the Ascii and ElasticSearch writers for the JSON formatter. I went ahead and threw in per-filter configuration options for the Ascii writer for all of the options that were exposed globally too. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1263: -- Fix Version/s: (was: 2.4) 2.5 Implementing three event handlers for supported data structure in Modbus Analyzer - Key: BIT-1263 URL: https://bro-tracker.atlassian.net/browse/BIT-1263 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Reporter: hui Priority: Low Labels: analyzer, modbus Fix For: 2.5 Three support data structures are defined in Modbus analyzer: FileRecordRequest, FileRecordResponse, ReferenceWithData Three event handlers are declared for them. The changes are already made and pushed into the branch: topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1345) Crash due to a bad dictionary insert
[ https://bro-tracker.atlassian.net/browse/BIT-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1345: - Assignee: Jon Siwek Crash due to a bad dictionary insert Key: BIT-1345 URL: https://bro-tracker.atlassian.net/browse/BIT-1345 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Aaron Eppert Assignee: Jon Siwek Priority: High Fix For: 2.4 #0 0x00713b87 in Dictionary::Insert (this=0x1339840, new_entry=0xb18a9d0, copy_key=0) at /root/redacted/bro/src/Dict.cc:419 #1 0x007130b0 in Dictionary::Insert (this=0x1339840, key=0xa23f6d0, key_size=36, hash=658668102, val=0x67fde40, copy_key=0) at /root/redacted/bro/src/Dict.cc:158 #2 0x006cb508 in Dictionary::Insert (this=0x1339840, key=0x74ba81b0, val=0x67fde40) at /root/redacted/bro/src/Dict.h:47 #3 0x0077ee9b in IDPDict::Insert (this=0x1339840, key=0xebf780 #redacted-redacted.redacted.redacted#21703#1182, val=0x67fde40) at /root/redacted/bro/src/Scope.h:18 #4 0x0077ef05 in Scope::Insert (this=0x133a8b0, name=0xebf780 #redacted-redacted.redacted.redacted#21703#1182, id=0x67fde40) at /root/redacted/bro/src/Scope.h:26 #5 0x008010cc in MutableVal::Bind (this=0x14f451f0) at /root/redacted/bro/src/Val.cc:624 #6 0x00800ec8 in MutableVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:558 #7 0x0080a8d6 in RecordVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:2866 #8 0x00805948 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, k=0x0, new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1502 #9 0x00805501 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1442 #10 0x00738b13 in IndexExpr::Assign (this=0x2087350, f=0x12073280, v=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:3135 #11 0x007362a2 in RefExpr::Assign (this=0x2087540, f=0x12073280, v=0x14f451f0, opcode=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:2463 #12 0x007370ea in AssignExpr::Eval (this=0x20874d0, f=0x12073280) at /root/redacted/bro/src/Expr.cc:2673 #13 0x007e22bb in ExprStmt::Exec (this=0x2087660, f=0x12073280, flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:369 #14 0x007e8375 in StmtList::Exec (this=0x2082c80, f=0x12073280, flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:1764 #15 0x0074e6cd in BroFunc::Call (this=0x2087e70, args=0x13525bb0, parent=0x0) at /root/redacted/bro/src/Func.cc:386 #16 0x00725883 in EventHandler::Call (this=0x2082160, vl=0x13525bb0, no_remote=false) at /root/redacted/bro/src/EventHandler.cc:80 #17 0x006d8cc2 in Event::Dispatch (this=0x620e610, no_remote=false) at /root/redacted/bro/src/Event.h:50 #18 0x00724ef7 in EventMgr::Dispatch (this=0xebd400) at /root/redacted/bro/src/Event.cc:111 #19 0x00725032 in EventMgr::Drain (this=0xebd400) at /root/redacted/bro/src/Event.cc:128 #20 0x00788828 in net_packet_dispatch (t=1426626559.98401, hdr=0x3314d40, pkt=0x7f14a8b464cc Address 0x7f14a8b464cc out of bounds, hdr_size=14, src_ps=0x3314c00) at /root/redacted/bro/src/Net.cc:278 #21 0x00a786d5 in iosource::PktSrc::Process (this=0x3314c00) at /root/redacted/bro/src/iosource/PktSrc.cc:411 #22 0x007889f8 in net_run () at /root/redacted/bro/src/Net.cc:320 #23 0x006d8157 in main (argc=20, argv=0x74ba9188) at /root/redacted/bro/src/main.cc:1200 -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1352) Certificate validation script does not deal well with root-certs being sent by server
[ https://bro-tracker.atlassian.net/browse/BIT-1352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1352: -- Fix Version/s: (was: 2.4) 2.5 Certificate validation script does not deal well with root-certs being sent by server - Key: BIT-1352 URL: https://bro-tracker.atlassian.net/browse/BIT-1352 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Johanna Amann Fix For: 2.5 Currently, the validate-certs script in policy does not deal well with certain certificate chains, where the trust-anchor is being sent by the server. We should be able to fix this by removing the trust-anchor automatically from the chain; solving this might potentially change the way root-certs are currently being loaded into Bro. Example server: access.redhat.com -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1349) Broctl stop output is not sorted anymore
[ https://bro-tracker.atlassian.net/browse/BIT-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1349: -- Resolution: Fixed Status: Closed (was: Open) Broctl stop output is not sorted anymore Key: BIT-1349 URL: https://bro-tracker.atlassian.net/browse/BIT-1349 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Priority: Trivial Fix For: 2.4 Minor: the output of the worker nodes when doing broctl stop is not sorted anymore. We should either sort it (or just skip outputting it altogether) - at the moment it is not really useful; if there is no numerical order it is difficult to see if a number one wants to have in there is missing or not. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4
[ https://bro-tracker.atlassian.net/browse/BIT-1362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20216#comment-20216 ] Robin Sommer commented on BIT-1362: --- Justin, feel like doing your first merge? :-) topic/dnthayer/fixes-for-2.4 Key: BIT-1362 URL: https://bro-tracker.atlassian.net/browse/BIT-1362 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Assignee: Justin Azoff Fix For: 2.4 The branch topic/dnthayer/fixes-for-2.4 contains fixes that address BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes and improvements. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4
[ https://bro-tracker.atlassian.net/browse/BIT-1362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1362: - Assignee: Justin Azoff topic/dnthayer/fixes-for-2.4 Key: BIT-1362 URL: https://bro-tracker.atlassian.net/browse/BIT-1362 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Assignee: Justin Azoff Fix For: 2.4 The branch topic/dnthayer/fixes-for-2.4 contains fixes that address BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes and improvements. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20204#comment-20204 ] Robin Sommer commented on BIT-1263: --- Yeah, I would like to have test cases before merging this. Did you test the new messages in some form when you developed the code? Implementing three event handlers for supported data structure in Modbus Analyzer - Key: BIT-1263 URL: https://bro-tracker.atlassian.net/browse/BIT-1263 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Reporter: hui Priority: Low Labels: analyzer, modbus Fix For: 2.4 Three support data structures are defined in Modbus analyzer: FileRecordRequest, FileRecordResponse, ReferenceWithData Three event handlers are declared for them. The changes are already made and pushed into the branch: topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1344: -- I would prefer staying with the well-known ports. I see the argument for signature-only, but it would be inconsistent with how the other analyzers works, making it hard to explain to people what's going on. And I don't expect much of a problem in terms of efficienicy for SSH. New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Vlad Grigorescu The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
On Tue, Mar 24, 2015 at 16:52 -0500, you wrote: This is something I've actually been moving away from. If I have a high level of confidence in the DPD signature, I'd rather rely on that, since I believe it will be more efficient than to try to attach the analyzer to all traffic on that port, and wait for a violation. This was based off some informal discussions with Seth, but I'm happy to throw it out to bro-dev and see what others think. I would prefer staying with the well-known ports. I see the argument for signature-only, but it would be inconsistent with how the other analyzers works, making it hard to explain to people what's going on. And I don't expect much of a problem in terms of efficienicy for SSH. ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B
[ https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20107#comment-20107 ] Robin Sommer commented on BIT-1313: --- Adapted and merged in 1dbc5ed523700c5c Add help and all options to -B --- Key: BIT-1313 URL: https://bro-tracker.atlassian.net/browse/BIT-1313 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Reporter: jdonnelly Assignee: Robin Sommer Fix For: 2.4 Attachments: log.diff Expand -B to include all,help, and list all the various debug trace points : #/usr/local/bro/bin/bro -B poo fatal error: unknown debug stream poo, try -B help. # /usr/local/bro/bin/bro -B help Options may be separated by , all help serial rules comm state chunkedio compressor string notifiers main-loop dpd tm logging input threading file_analysis plugins broxygen pktio -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores
[ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1324: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) default_path_func does weird things to underscores -- Key: BIT-1324 URL: https://bro-tracker.atlassian.net/browse/BIT-1324 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Justin Azoff Assignee: Robin Sommer Priority: Low Labels: logging Fix For: 2.4 The following script creates a {noformat} foo__b_ar.log {noformat} instead of the expected {noformat}foo_bar{noformat} {code} module FOO_BAR; export { redef enum Log::ID += { LOG }; type Info: record { ts: time log; msg: string log; }; } event bro_init() { Log::create_stream(LOG, [$columns=Info]); local l = [$ts = network_time(), $msg=hello]; Log::write(LOG, l); print Logged; } {code} The problem is in script land in default_path_func {code} local module_parts = split_string_n(FOO_BAR, /[^A-Z][A-Z][a-z]*/, T, 4); print module_parts; {code} outputs {code} [FOO, _B, AR] {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/dtls
[ https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1347: - Assignee: Robin Sommer Please merge topic/johanna/dtls --- Key: BIT-1347 URL: https://bro-tracker.atlassian.net/browse/BIT-1347 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Robin Sommer Labels: dtls, ssl Fix For: 2.4 Please merge topic/johanna/dtls First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is mostly handled just like SSL. It emits the same events and thus works seamlessly with the current SSL scripts in the Bro core. Furthermore, it implements TLS record layer defragmentation for the TLS Handshake protocol enabling us e.g. to deal with connections containing large certificates. The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-342: - Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) . Add payload to ICMP analyzer Key: BIT-342 URL: https://bro-tracker.atlassian.net/browse/BIT-342 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 1.5.2 Reporter: Seth Hall Assignee: Robin Sommer Fix For: 2.4 Attachments: ICMP-add-payload.diff This is a patch from Julien Sentier on the mailing list that makes ICMP payloads available at the scripting layer. Is there a reason this isn't already available? I would have committed it to fastpath except I don't know if it's not already doing this due to the potential overhead of creating a lot of strings in ICMP floods. At the very least, I suppose it could be optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows
[ https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-788: - Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Good analysis of unidirectional DNS flows - Key: BIT-788 URL: https://bro-tracker.atlassian.net/browse/BIT-788 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: git/master Reporter: juliensentier Assignee: Robin Sommer Fix For: 2.4 Attachments: 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch Some use port udp 53 as a source port for dns requests. And sometimes, we can miss the DNS request. In this case, we can rely on the DNS field QR to identify the direction of the flow. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII
[ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1199: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Better error messages for input file errors in READER_ASCII --- Key: BIT-1199 URL: https://bro-tracker.atlassian.net/browse/BIT-1199 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Vlad Grigorescu Assignee: Robin Sommer Fix For: 2.4 Attachments: test.intel This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: {code} internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 {code} The attached file contains an extra tab after downloader.com. It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/dtls
[ https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1347: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Please merge topic/johanna/dtls --- Key: BIT-1347 URL: https://bro-tracker.atlassian.net/browse/BIT-1347 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Robin Sommer Labels: dtls, ssl Fix For: 2.4 Please merge topic/johanna/dtls First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is mostly handled just like SSL. It emits the same events and thus works seamlessly with the current SSL scripts in the Bro core. Furthermore, it implements TLS record layer defragmentation for the TLS Handshake protocol enabling us e.g. to deal with connections containing large certificates. The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B
[ https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1313: -- Resolution: Merged Status: Closed (was: Open) Add help and all options to -B --- Key: BIT-1313 URL: https://bro-tracker.atlassian.net/browse/BIT-1313 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Reporter: jdonnelly Assignee: Robin Sommer Fix For: 2.4 Attachments: log.diff Expand -B to include all,help, and list all the various debug trace points : #/usr/local/bro/bin/bro -B poo fatal error: unknown debug stream poo, try -B help. # /usr/local/bro/bin/bro -B help Options may be separated by , all help serial rules comm state chunkedio compressor string notifiers main-loop dpd tm logging input threading file_analysis plugins broxygen pktio -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII
[ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1199: - Assignee: Robin Sommer Better error messages for input file errors in READER_ASCII --- Key: BIT-1199 URL: https://bro-tracker.atlassian.net/browse/BIT-1199 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Vlad Grigorescu Assignee: Robin Sommer Fix For: 2.4 Attachments: test.intel This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: {code} internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 {code} The attached file contains an extra tab after downloader.com. It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-342: Assignee: Robin Sommer Add payload to ICMP analyzer Key: BIT-342 URL: https://bro-tracker.atlassian.net/browse/BIT-342 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 1.5.2 Reporter: Seth Hall Assignee: Robin Sommer Fix For: 2.4 Attachments: ICMP-add-payload.diff This is a patch from Julien Sentier on the mailing list that makes ICMP payloads available at the scripting layer. Is there a reason this isn't already available? I would have committed it to fastpath except I don't know if it's not already doing this due to the potential overhead of creating a lot of strings in ICMP floods. At the very least, I suppose it could be optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores
[ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1324: - Assignee: Robin Sommer default_path_func does weird things to underscores -- Key: BIT-1324 URL: https://bro-tracker.atlassian.net/browse/BIT-1324 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Justin Azoff Assignee: Robin Sommer Priority: Low Labels: logging Fix For: 2.4 The following script creates a {noformat} foo__b_ar.log {noformat} instead of the expected {noformat}foo_bar{noformat} {code} module FOO_BAR; export { redef enum Log::ID += { LOG }; type Info: record { ts: time log; msg: string log; }; } event bro_init() { Log::create_stream(LOG, [$columns=Info]); local l = [$ts = network_time(), $msg=hello]; Log::write(LOG, l); print Logged; } {code} The problem is in script land in default_path_func {code} local module_parts = split_string_n(FOO_BAR, /[^A-Z][A-Z][a-z]*/, T, 4); print module_parts; {code} outputs {code} [FOO, _B, AR] {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows
[ https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-788: Assignee: Robin Sommer Good analysis of unidirectional DNS flows - Key: BIT-788 URL: https://bro-tracker.atlassian.net/browse/BIT-788 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: git/master Reporter: juliensentier Assignee: Robin Sommer Fix For: 2.4 Attachments: 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch Some use port udp 53 as a source port for dns requests. And sometimes, we can miss the DNS request. In this case, we can rely on the DNS field QR to identify the direction of the flow. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII
[ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1199: - Assignee: Johanna Amann (was: Robin Sommer) Better error messages for input file errors in READER_ASCII --- Key: BIT-1199 URL: https://bro-tracker.atlassian.net/browse/BIT-1199 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: grigorescu Assignee: Johanna Amann Fix For: 2.4 Attachments: test.intel This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: {code} internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 {code} The attached file contains an extra tab after downloader.com. It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1341) topic/dnthayer/fixes-for-2.4beta
[ https://bro-tracker.atlassian.net/browse/BIT-1341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1341: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) topic/dnthayer/fixes-for-2.4beta Key: BIT-1341 URL: https://bro-tracker.atlassian.net/browse/BIT-1341 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Assignee: Robin Sommer Fix For: 2.4 Branch topic/dnthayer/fixes-for-2.4beta in the broctl repo addresses the following issues: -Improved test setup scripts to specify correct bro install prefix. -Fix bug where ./configure --conf-files-dir did not work -Fix bug where ./configure --scriptdir did not work -Print error messages without showing Python stack trace -Improved processing of node input args, to remove duplicates and sort -Improved sorting of the output by node type and name -Added the deploy command -Update docs for the deploy command -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation
[ https://bro-tracker.atlassian.net/browse/BIT-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1332: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Please merge topic/johanna/cert-validation -- Key: BIT-1332 URL: https://bro-tracker.atlassian.net/browse/BIT-1332 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Robin Sommer Fix For: 2.4 Please merge topic/johanna/cert-validation. This is an update to the script used to validate certificates in SSL/TLS connections. Description from main commit: {quote} Update certificate validation script - new version will cache valid intermediate chains that it encounters on the wire and use those to try to validate chains that might be missing intermediate certificates. This vastly improves the number of certificates that Bro can validate. The only drawback is that now validation behavior is not entirely predictable anymore - the certificate of a server can fail to validate when Bro just started up (due to the intermediate missing), and succeed later, when the intermediate can be found in the cache. Has been tested on big-ish clusters and should not introduce any performance problems. {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1305) Consider marking some attributes as deprecated
[ https://bro-tracker.atlassian.net/browse/BIT-1305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1305: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Consider marking some attributes as deprecated -- Key: BIT-1305 URL: https://bro-tracker.atlassian.net/browse/BIT-1305 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Jon Siwek Assignee: Robin Sommer Fix For: 2.4 Likely candidates for deprecation: rotate_interval rotate_size encrypt mergeable synchronize persistent group While the mechanism I added in BIT-757 can't be used to mark attributes as deprecated, I'm thinking it's not difficult to just hard code the scanner to emit a warning when encountering certain attributes. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1342) Occasional test failures
Robin Sommer created BIT-1342: - Summary: Occasional test failures Key: BIT-1342 URL: https://bro-tracker.atlassian.net/browse/BIT-1342 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Robin Sommer Fix For: 2.4 Two tests in current master fail for me occasionally (usually when I run the full broctl test-suite but not when I rerun just these failing tests). Diag output below. {code} command.start-stop-standalone ... failed % 'btest-diff stop.out' failed unexpectedly (exit code 1) % cat .diag == File === stopping bro ... Exception in thread Thread-1 (most likely raised during interpreter shutdown): Traceback (most recent call last): File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, line File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, line File /usr/lib64/python2.7/Queue.py, line 177, in get File /usr/lib64/python2.7/threading.py, line 354, in wait type 'exceptions.TypeError': 'NoneType' object is not callable == Diff === --- /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-stop-standalone/stop.out 2013-06-01 00:29:07. +++ stop.out 2015-03-17 22:50:01.857838625 + @@ -1 +1,9 @@ stopping bro ... +Exception in thread Thread-1 (most likely raised during interpreter shutdown): +Traceback (most recent call last): + File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner + File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, l + File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, l + File /usr/lib64/python2.7/Queue.py, line 177, in get + File /usr/lib64/python2.7/threading.py, line 354, in wait +type 'exceptions.TypeError': 'NoneType' object is not callable === [...] command.start-cluster-slowstart ... failed % 'btest-diff status2.out' failed unexpectedly (exit code 1) % cat .diag == File === Getting process status ... Getting peer status ... Name TypeHost StatusPidPeers Started manager manager localhoststopped proxy-1 proxy localhoststopped worker-1 worker localhoststopped worker-2 worker localhoststopped == Diff === --- /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-cluster-slowstart/status2.out 2015-03-04 20:16 +++ status2.out 2015-03-17 22:50:26.578618684 + @@ -3,5 +3,5 @@ Name TypeHost StatusPidPeers Started manager manager localhoststopped proxy-1 proxy localhoststopped -worker-1 worker localhostcrashed +worker-1 worker localhoststopped worker-2 worker localhoststopped === {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII
[ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1199: -- Status: Open (was: Merge Request) Better error messages for input file errors in READER_ASCII --- Key: BIT-1199 URL: https://bro-tracker.atlassian.net/browse/BIT-1199 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: grigorescu Assignee: Johanna Amann Fix For: 2.4 Attachments: test.intel This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: {code} internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 {code} The attached file contains an extra tab after downloader.com. It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1330) topic/python3-compat
[ https://bro-tracker.atlassian.net/browse/BIT-1330?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1330: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) topic/python3-compat Key: BIT-1330 URL: https://bro-tracker.atlassian.net/browse/BIT-1330 Project: Bro Issue Tracker Issue Type: Improvement Components: pysubnettree Reporter: Jon Siwek Assignee: Robin Sommer Fix For: 2.4 Updates to pysubnettree for Python 3 compatibility: have to now consider that bytes are a distinct type from strings and allow the API to accept either. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1305) Consider marking some attributes as deprecated
[ https://bro-tracker.atlassian.net/browse/BIT-1305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=19988#comment-19988 ] Robin Sommer commented on BIT-1305: --- I'll remove mergeable from the list, as that goes with synchronized. Consider marking some attributes as deprecated -- Key: BIT-1305 URL: https://bro-tracker.atlassian.net/browse/BIT-1305 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Jon Siwek Assignee: Robin Sommer Fix For: 2.4 Likely candidates for deprecation: rotate_interval rotate_size encrypt mergeable synchronize persistent group While the mechanism I added in BIT-757 can't be used to mark attributes as deprecated, I'm thinking it's not difficult to just hard code the scanner to emit a warning when encountering certain attributes. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1341) topic/dnthayer/fixes-for-2.4beta
[ https://bro-tracker.atlassian.net/browse/BIT-1341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1341: - Assignee: Robin Sommer topic/dnthayer/fixes-for-2.4beta Key: BIT-1341 URL: https://bro-tracker.atlassian.net/browse/BIT-1341 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Assignee: Robin Sommer Fix For: 2.4 Branch topic/dnthayer/fixes-for-2.4beta in the broctl repo addresses the following issues: -Improved test setup scripts to specify correct bro install prefix. -Fix bug where ./configure --conf-files-dir did not work -Fix bug where ./configure --scriptdir did not work -Print error messages without showing Python stack trace -Improved processing of node input args, to remove duplicates and sort -Improved sorting of the output by node type and name -Added the deploy command -Update docs for the deploy command -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation
[ https://bro-tracker.atlassian.net/browse/BIT-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1332: - Assignee: Robin Sommer Please merge topic/johanna/cert-validation -- Key: BIT-1332 URL: https://bro-tracker.atlassian.net/browse/BIT-1332 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Robin Sommer Fix For: 2.4 Please merge topic/johanna/cert-validation. This is an update to the script used to validate certificates in SSL/TLS connections. Description from main commit: {quote} Update certificate validation script - new version will cache valid intermediate chains that it encounters on the wire and use those to try to validate chains that might be missing intermediate certificates. This vastly improves the number of certificates that Bro can validate. The only drawback is that now validation behavior is not entirely predictable anymore - the certificate of a server can fail to validate when Bro just started up (due to the intermediate missing), and succeed later, when the intermediate can be found in the cache. Has been tested on big-ish clusters and should not introduce any performance problems. {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1077) fix policy/protocols/http/header-names.bro
[ https://bro-tracker.atlassian.net/browse/BIT-1077?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1077: - Assignee: Robin Sommer fix policy/protocols/http/header-names.bro -- Key: BIT-1077 URL: https://bro-tracker.atlassian.net/browse/BIT-1077 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Assignee: Robin Sommer Fix For: 2.4 This script is wrong for the {{log_server_header_names}} case. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1304) trace-summary should be updated to support newer versions of Python
[ https://bro-tracker.atlassian.net/browse/BIT-1304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1304: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) trace-summary should be updated to support newer versions of Python --- Key: BIT-1304 URL: https://bro-tracker.atlassian.net/browse/BIT-1304 Project: Bro Issue Tracker Issue Type: Problem Components: trace-summary Reporter: Daniel Thayer Fix For: 2.4 Some of the code in trace-summary is not valid syntax on Python version = 3. It should be updated to work on any Python version = 2.6. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker
[ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1319: -- Yeah, I'm still mulling over that. Let's chat a bit about that next week, it's certainly not a must-have right now. Just go ahead and merge, I'll try the tests later. THanks for the renaming. Great to see we have Python bindings! topic/jsiwek/broker --- Key: BIT-1319 URL: https://bro-tracker.atlassian.net/browse/BIT-1319 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: Jon Siwek Assignee: Robin Sommer Fix For: 2.4 The topic/jsiwek/broker branch is in the bro and cmake repos to add the initial support for Broker. Notes/Disclaimers/Caveats: - Bro has a --enable-broker configure flag. - requires actor-framework develop branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. - no C bindings yet - no Python bindings yet - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker
Didn't do anything about adding synchronous data store query API, maybe that's an improvement we can think about for later? Yeah, I'm still mulling over that. Let's chat a bit about that next week, it's certainly not a must-have right now. So not much here is probably that critical to review; let me know if you just want me to merge it (but I'd still like if you could let me know about the unit tests that failed before). Just go ahead and merge, I'll try the tests later. THanks for the renaming. Great to see we have Python bindings! ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld
[ https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=19911#comment-19911 ] Robin Sommer commented on BIT-1320: --- Merging. This is such a large change set across the whole code base that I can't really review it. But I trust you guys. :-) topic/jazoff/broctld Key: BIT-1320 URL: https://bro-tracker.atlassian.net/browse/BIT-1320 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Assignee: Robin Sommer Fix For: 2.4 Branch topic/jazoff/broctld in the broctl repo contains significant code reorganization for the upcoming broctld. Here is a high-level list of changes: 1) Refactor broctl to make it usable as a library (reduce global state, module-level setup code, and functions return results instead of printing), 2) Integrate ssh_runner code into broctl to fix current problems (use only one connection per host instead of one per Bro node, broctl shouldn't hang when a host goes down or if we forgot to run broctl install), 3) Write state info using SQLite state storage instead of writing to a plain text file (broctl.dat), 4) When the node config changes, we now do additional checks if there are any Bro nodes running that are no longer in our node config and warn user if any are detected, 5) Keep track of the expected state (running or stopped) of each Bro node, and have broctl cron start or stop nodes as needed, 6) Improved broctl cron by adding two new options (MailHostUpDown and StatsLogEnable) to enable users the option to turn off unwanted functionality to speed up broctl cron and reduce the chance of errors, 7) When broctl cron tries to send email but fails, now it will output a message that includes the text it was trying to mail, 8) Silence warning messages (that are intended for interactive use of broctl) when broctl cron runs to reduce unwanted emails from cron, 9) Added new broctl option StatusCmdShowAll to enable users to speed up broctl status significantly, 10) Fixed the stats-to-csv script to not create files that can never include any data, 11) Fixed archive-log script to detect exit status of gzip or cp command, so that we don't delete log file when the archival fails, 12) Improved post-terminate script to process log files more consistently, 13) Made all broctl command output go to stdout (previously, some output would go to stderr, which made grepping or redirecting the output more difficult), 14) Improved the default broctl.cfg file to show more of the useful options, 15) Added more error checks to help catch errors earlier, 16) Some error message output is more specific and helpful now -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld
[ https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1320: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) topic/jazoff/broctld Key: BIT-1320 URL: https://bro-tracker.atlassian.net/browse/BIT-1320 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Assignee: Robin Sommer Fix For: 2.4 Branch topic/jazoff/broctld in the broctl repo contains significant code reorganization for the upcoming broctld. Here is a high-level list of changes: 1) Refactor broctl to make it usable as a library (reduce global state, module-level setup code, and functions return results instead of printing), 2) Integrate ssh_runner code into broctl to fix current problems (use only one connection per host instead of one per Bro node, broctl shouldn't hang when a host goes down or if we forgot to run broctl install), 3) Write state info using SQLite state storage instead of writing to a plain text file (broctl.dat), 4) When the node config changes, we now do additional checks if there are any Bro nodes running that are no longer in our node config and warn user if any are detected, 5) Keep track of the expected state (running or stopped) of each Bro node, and have broctl cron start or stop nodes as needed, 6) Improved broctl cron by adding two new options (MailHostUpDown and StatsLogEnable) to enable users the option to turn off unwanted functionality to speed up broctl cron and reduce the chance of errors, 7) When broctl cron tries to send email but fails, now it will output a message that includes the text it was trying to mail, 8) Silence warning messages (that are intended for interactive use of broctl) when broctl cron runs to reduce unwanted emails from cron, 9) Added new broctl option StatusCmdShowAll to enable users to speed up broctl status significantly, 10) Fixed the stats-to-csv script to not create files that can never include any data, 11) Fixed archive-log script to detect exit status of gzip or cp command, so that we don't delete log file when the archival fails, 12) Improved post-terminate script to process log files more consistently, 13) Made all broctl command output go to stdout (previously, some output would go to stderr, which made grepping or redirecting the output more difficult), 14) Improved the default broctl.cfg file to show more of the useful options, 15) Added more error checks to help catch errors earlier, 16) Some error message output is more specific and helpful now -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1270) topic/gilbert/plugin-api-tweak
[ https://bro-tracker.atlassian.net/browse/BIT-1270?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1270: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) topic/gilbert/plugin-api-tweak -- Key: BIT-1270 URL: https://bro-tracker.atlassian.net/browse/BIT-1270 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Reporter: gclark Assignee: gclark This branch makes a few changes to the API: * Wraps values in a simple class (ValWrapper) that include an explicit processed / not processed flag (to avoid confusion with delayed / opaque invocations). * Adds a Frame argument to HookCallFunction * Adds support for Frame argument types to HookArgument * Adds support for ValWrapper argument types to HookArgument * Tweaks the plugin.hooks tests a bit to include new output (from additional argument) * Tweaks the plugin.api-version-mismatch to remove explicit home directory path via simple regex -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1322) btest should warn when using -T option but cannot create timing baseline
[ https://bro-tracker.atlassian.net/browse/BIT-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1322: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) btest should warn when using -T option but cannot create timing baseline Key: BIT-1322 URL: https://bro-tracker.atlassian.net/browse/BIT-1322 Project: Bro Issue Tracker Issue Type: Problem Components: BTest Reporter: Daniel Thayer Fix For: 2.4 When using btest -T on a system that cannot perform timing measurements there is no warning message to notify the user that the requested operation (create a timing baseline) cannot be performed. This is especially confusing on a Linux machine that has the perf command installed, but not other required components. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld
[ https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1320: - Assignee: Robin Sommer topic/jazoff/broctld Key: BIT-1320 URL: https://bro-tracker.atlassian.net/browse/BIT-1320 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Assignee: Robin Sommer Fix For: 2.4 Branch topic/jazoff/broctld in the broctl repo contains significant code reorganization for the upcoming broctld. Here is a high-level list of changes: 1) Refactor broctl to make it usable as a library (reduce global state, module-level setup code, and functions return results instead of printing), 2) Integrate ssh_runner code into broctl to fix current problems (use only one connection per host instead of one per Bro node, broctl shouldn't hang when a host goes down or if we forgot to run broctl install), 3) Write state info using SQLite state storage instead of writing to a plain text file (broctl.dat), 4) When the node config changes, we now do additional checks if there are any Bro nodes running that are no longer in our node config and warn user if any are detected, 5) Keep track of the expected state (running or stopped) of each Bro node, and have broctl cron start or stop nodes as needed, 6) Improved broctl cron by adding two new options (MailHostUpDown and StatsLogEnable) to enable users the option to turn off unwanted functionality to speed up broctl cron and reduce the chance of errors, 7) When broctl cron tries to send email but fails, now it will output a message that includes the text it was trying to mail, 8) Silence warning messages (that are intended for interactive use of broctl) when broctl cron runs to reduce unwanted emails from cron, 9) Added new broctl option StatusCmdShowAll to enable users to speed up broctl status significantly, 10) Fixed the stats-to-csv script to not create files that can never include any data, 11) Fixed archive-log script to detect exit status of gzip or cp command, so that we don't delete log file when the archival fails, 12) Improved post-terminate script to process log files more consistently, 13) Made all broctl command output go to stdout (previously, some output would go to stderr, which made grepping or redirecting the output more difficult), 14) Improved the default broctl.cfg file to show more of the useful options, 15) Added more error checks to help catch errors earlier, 16) Some error message output is more specific and helpful now -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake)
On Fri, Feb 20, 2015 at 15:08 -0800, you wrote: newer libpcap version - now the build fails because of pcap_offline_filter: Oh, I thought that's a function which had been around for a while. That's not easy to get rid of, it provides BPF filtering for packet source plugins that can't do that natively (like netmap). Do you happen to know if there's another way to do that with older pcaps? Robin -- Robin Sommer * ICSI/LBNL * ro...@icir.org * www.icir.org/robin ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1318) topic/robin/plugin-updates
[ https://bro-tracker.atlassian.net/browse/BIT-1318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1318: -- Status: Merge Request (was: Open) topic/robin/plugin-updates -- Key: BIT-1318 URL: https://bro-tracker.atlassian.net/browse/BIT-1318 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Robin Sommer A set of improvements to Bro's support for dynamic plugins. Branch topic/robin/plugin-updates in bro, bro-aux, cmake, and bro-plugins. This includes primarily updates to the init-plugin helper script: - the script now sets up the skeleton plugin so that the *build/* directory becomes the place where the final plugin lives (rather than the top-level source directory). BRO_PLUGIN_PATH needs to point there now. make distclean simply deletes the build directory. - the skeleton builds a binary plugin distribution in build/dist, and make install uses that to put the plugin in place. The Makefile targets bdist and sdist are gone. - CMakeList.txt supports a new macro bro_plugin_dist_files to specify additional files to include into the binary plugin distribution. - init-plugin now takes an additional parameter with a directory where to create the plugin. - the configure script now sources a local configure.plugin for adding custom options without touch the main script. - Makefile reloads cached CMake variables when Bro has been reconfigured. Addresses #1302. The changes further include: - Bro's make install now always creates the plugin installation directory. - Removed setting BRO_PLUGIN_PATH from bro-path-dev.sh. Addresses #1312. - Adapting plugin documentation to the changes. - Adapting the three plugins aux/plugins to changes. - Bro's make install removes some old scripts that have moved into plugins, but might still exist from a previous installation. - Plugin managers treats plugin names as case-insenstive for some internal lookups to be a bit more tolerant in cases that could be hard to catch otherwise. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1318) topic/robin/plugin-updates
Robin Sommer created BIT-1318: - Summary: topic/robin/plugin-updates Key: BIT-1318 URL: https://bro-tracker.atlassian.net/browse/BIT-1318 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Robin Sommer A set of improvements to Bro's support for dynamic plugins. Branch topic/robin/plugin-updates in bro, bro-aux, cmake, and bro-plugins. This includes primarily updates to the init-plugin helper script: - the script now sets up the skeleton plugin so that the *build/* directory becomes the place where the final plugin lives (rather than the top-level source directory). BRO_PLUGIN_PATH needs to point there now. make distclean simply deletes the build directory. - the skeleton builds a binary plugin distribution in build/dist, and make install uses that to put the plugin in place. The Makefile targets bdist and sdist are gone. - CMakeList.txt supports a new macro bro_plugin_dist_files to specify additional files to include into the binary plugin distribution. - init-plugin now takes an additional parameter with a directory where to create the plugin. - the configure script now sources a local configure.plugin for adding custom options without touch the main script. - Makefile reloads cached CMake variables when Bro has been reconfigured. Addresses #1302. The changes further include: - Bro's make install now always creates the plugin installation directory. - Removed setting BRO_PLUGIN_PATH from bro-path-dev.sh. Addresses #1312. - Adapting plugin documentation to the changes. - Adapting the three plugins aux/plugins to changes. - Bro's make install removes some old scripts that have moved into plugins, but might still exist from a previous installation. - Plugin managers treats plugin names as case-insenstive for some internal lookups to be a bit more tolerant in cases that could be hard to catch otherwise. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake)
On Wed, Feb 18, 2015 at 23:10 +, you wrote: I’m not that familiar either, but think it may be fine to provide our own preprocessor definition if it doesn’t exist. I'll remove the dependency on the macro, it's used mainly as placeholder value, and we can use our own for that. Robin -- Robin Sommer * ICSI/LBNL * ro...@icir.org * www.icir.org/robin ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while'
For the record: I'm for it, too. :) Will merge. On Sun, Feb 15, 2015 at 22:14 -0600, you wrote: [ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1315: --- Let’s go ahead and merge it then. :) Teach Bro how to 'while' Key: BIT-1315 URL: https://bro-tracker.atlassian.net/browse/BIT-1315 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: Jon Siwek Priority: Low Fix For: 2.4 topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. An alternative to adding 'while' to the language might be to allow for () to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while'
[ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1315: -- For the record: I'm for it, too. :) Will merge. Teach Bro how to 'while' Key: BIT-1315 URL: https://bro-tracker.atlassian.net/browse/BIT-1315 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: Jon Siwek Priority: Low Fix For: 2.4 topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. An alternative to adding 'while' to the language might be to allow for () to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while'
[ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1315: - Assignee: Robin Sommer Teach Bro how to 'while' Key: BIT-1315 URL: https://bro-tracker.atlassian.net/browse/BIT-1315 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: Jon Siwek Assignee: Robin Sommer Priority: Low Fix For: 2.4 topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. An alternative to adding 'while' to the language might be to allow for () to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev