[Bro-Dev] [JIRA] (BIT-985) 'tail -f' functionality for file reading in input framework

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-985:
-
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 'tail -f' functionality for file reading in input framework
 ---

 Key: BIT-985
 URL: https://bro-tracker.atlassian.net/browse/BIT-985
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: git/master
Reporter: scampbell
Assignee: Robin Sommer
Priority: Low
 Fix For: 2.4

 Attachments: input.diff, PATCH


 With the current input framework, file data \- event translation requires 
 that the entire data file be read at bro start time.  This can be prohibitive 
 when the file sizes become large (  1GB ).  
 It would be great to see a file open option that would start reading at the 
 end of the file.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1377) Please merge topic/johanna/conn-threshold

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1377?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1377:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 Please merge topic/johanna/conn-threshold
 -

 Key: BIT-1377
 URL: https://bro-tracker.atlassian.net/browse/BIT-1377
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Robin Sommer
 Fix For: 2.4


 Please merge topic/johanna/conn-threshold. This branch adds a high-level and 
 a low-level API for connection thresholding (packets or bytes).
 The functions that are exposed to users are:
 {code}
 ConnThreshold::set_bytes_threshold(c, [bytes], [direction]);
 ConnThreshold::set_packets_threshold(c, [packets], [direction]);
 {code}
 as well as ConnThreshold::delete_bytes_threshold and 
 ConnThreshold::delete_packets_threshold to delete thresholds. Several 
 thresholds can be added for a single connection; all of them will be raised.
 The following two events trigger with the thresholds:
 {code}
 event ConnThreshold::bytes_threshold_crossed(c: connection, threshold: count, 
 is_orig: bool)
 event ConnThreshold::packets_threshold_crossed(c: connection, threshold: 
 count, is_orig: bool)
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1375) Please merge topic/johanna/ca-list

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1375?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1375:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 Please merge topic/johanna/ca-list
 --

 Key: BIT-1375
 URL: https://bro-tracker.atlassian.net/browse/BIT-1375
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Robin Sommer
 Fix For: 2.4


 Please merge topic/johanna/ca-list. This updates the mozilla CA list to the 
 current state and changes a few tests to continue working (CAs that were used 
 in their traces were removed from the CA list). It also fixes the CA list 
 that is used for the external test suite - those traces are kind of old now, 
 more and more of the CAs in them are no longer valid and it does not really 
 make sense to update them on each change...



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1333:
-

Assignee: Seth Hall  (was: Robin Sommer)

 Bro's ASCII logging facilities do not escape escape characters
 --

 Key: BIT-1333
 URL: https://bro-tracker.atlassian.net/browse/BIT-1333
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.3
Reporter: Paul Pearce
Assignee: Seth Hall
 Fix For: 2.4


 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending 
 on the character 
 (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). 
 * Bro does not however escape \ or ^. 
 * This behavior makes recovering the original string impossible as you can 
 not differentiate between an escaped sequence and a string containing those 
 characters. 
 Examples: 
 $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }'
  foo \xc2\xae bar \xc2\xae baz
 $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }'
  foo\0bar\0baz
 $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }'
  foo ^N bar ^N baz
 Additionally, it would be ideal if there was a way to standardize escaping to 
 a single syntax (\x?? for all, for example). This would allow post-processing 
 of the bro logs in languages like Python or Ruby trivially using existing 
 decode/encode functionality. I'm happy to file a separate feature request for 
 this behavior, if that is preferred.
 I brought this up on the mailing list 
 (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). 
 It was suggested (off list) that I file a ticket as well.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20306#comment-20306
 ] 

Robin Sommer commented on BIT-1333:
---

Assigning this back to Seth for review and merging.

 Bro's ASCII logging facilities do not escape escape characters
 --

 Key: BIT-1333
 URL: https://bro-tracker.atlassian.net/browse/BIT-1333
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.3
Reporter: Paul Pearce
Assignee: Seth Hall
 Fix For: 2.4


 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending 
 on the character 
 (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). 
 * Bro does not however escape \ or ^. 
 * This behavior makes recovering the original string impossible as you can 
 not differentiate between an escaped sequence and a string containing those 
 characters. 
 Examples: 
 $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }'
  foo \xc2\xae bar \xc2\xae baz
 $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }'
  foo\0bar\0baz
 $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }'
  foo ^N bar ^N baz
 Additionally, it would be ideal if there was a way to standardize escaping to 
 a single syntax (\x?? for all, for example). This would allow post-processing 
 of the bro logs in languages like Python or Ruby trivially using existing 
 decode/encode functionality. I'm happy to file a separate feature request for 
 this behavior, if that is preferred.
 I brought this up on the mailing list 
 (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). 
 It was suggested (off list) that I file a ticket as well.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20307#comment-20307
 ] 

Robin Sommer commented on BIT-1333:
---

Oh, still need to update external tests actually, just a second. :) 

 Bro's ASCII logging facilities do not escape escape characters
 --

 Key: BIT-1333
 URL: https://bro-tracker.atlassian.net/browse/BIT-1333
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.3
Reporter: Paul Pearce
Assignee: Seth Hall
 Fix For: 2.4


 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending 
 on the character 
 (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). 
 * Bro does not however escape \ or ^. 
 * This behavior makes recovering the original string impossible as you can 
 not differentiate between an escaped sequence and a string containing those 
 characters. 
 Examples: 
 $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }'
  foo \xc2\xae bar \xc2\xae baz
 $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }'
  foo\0bar\0baz
 $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }'
  foo ^N bar ^N baz
 Additionally, it would be ideal if there was a way to standardize escaping to 
 a single syntax (\x?? for all, for example). This would allow post-processing 
 of the bro logs in languages like Python or Ruby trivially using existing 
 decode/encode functionality. I'm happy to file a separate feature request for 
 this behavior, if that is preferred.
 I brought this up on the mailing list 
 (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). 
 It was suggested (off list) that I file a ticket as well.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1333:
--
Status: Open  (was: Merge Request)

 Bro's ASCII logging facilities do not escape escape characters
 --

 Key: BIT-1333
 URL: https://bro-tracker.atlassian.net/browse/BIT-1333
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.3
Reporter: Paul Pearce
Assignee: Robin Sommer
 Fix For: 2.4


 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending 
 on the character 
 (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). 
 * Bro does not however escape \ or ^. 
 * This behavior makes recovering the original string impossible as you can 
 not differentiate between an escaped sequence and a string containing those 
 characters. 
 Examples: 
 $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }'
  foo \xc2\xae bar \xc2\xae baz
 $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }'
  foo\0bar\0baz
 $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }'
  foo ^N bar ^N baz
 Additionally, it would be ideal if there was a way to standardize escaping to 
 a single syntax (\x?? for all, for example). This would allow post-processing 
 of the bro logs in languages like Python or Ruby trivially using existing 
 decode/encode functionality. I'm happy to file a separate feature request for 
 this behavior, if that is preferred.
 I brought this up on the mailing list 
 (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). 
 It was suggested (off list) that I file a ticket as well.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1333:
-

Assignee: Robin Sommer  (was: Seth Hall)

 Bro's ASCII logging facilities do not escape escape characters
 --

 Key: BIT-1333
 URL: https://bro-tracker.atlassian.net/browse/BIT-1333
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.3
Reporter: Paul Pearce
Assignee: Robin Sommer
 Fix For: 2.4


 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending 
 on the character 
 (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). 
 * Bro does not however escape \ or ^. 
 * This behavior makes recovering the original string impossible as you can 
 not differentiate between an escaped sequence and a string containing those 
 characters. 
 Examples: 
 $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }'
  foo \xc2\xae bar \xc2\xae baz
 $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }'
  foo\0bar\0baz
 $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }'
  foo ^N bar ^N baz
 Additionally, it would be ideal if there was a way to standardize escaping to 
 a single syntax (\x?? for all, for example). This would allow post-processing 
 of the bro logs in languages like Python or Ruby trivially using existing 
 decode/encode functionality. I'm happy to file a separate feature request for 
 this behavior, if that is preferred.
 I brought this up on the mailing list 
 (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). 
 It was suggested (off list) that I file a ticket as well.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1331:
--
Resolution: Fixed
Status: Closed  (was: Open)

 Bro manager crashes when logs rotate
 

 Key: BIT-1331
 URL: https://bro-tracker.atlassian.net/browse/BIT-1331
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master, 2.4
 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method
Reporter: Josh Liburdi
Assignee: Robin Sommer
 Fix For: 2.4


 The Bro manager crashes when the logs rotate. Workers run fine through this 
 process. 
 stderr.log output:
 internal error: finish missing
 /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted 
 (core dumped) nohup $mybro $@
 send-mail: SENDMAIL-NOTFOUND not found



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20313#comment-20313
 ] 

Robin Sommer commented on BIT-1331:
---

Should be fixed in 9260638948502c795d34f60c095ca33f74bb106a

 Bro manager crashes when logs rotate
 

 Key: BIT-1331
 URL: https://bro-tracker.atlassian.net/browse/BIT-1331
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master, 2.4
 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method
Reporter: Josh Liburdi
Assignee: Robin Sommer
 Fix For: 2.4


 The Bro manager crashes when the logs rotate. Workers run fine through this 
 process. 
 stderr.log output:
 internal error: finish missing
 /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted 
 (core dumped) nohup $mybro $@
 send-mail: SENDMAIL-NOTFOUND not found



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20302#comment-20302
 ] 

Robin Sommer commented on BIT-1333:
---

I can see doing this generally for logging. So would it work if we did the 
backslash escaping for logging, but stayed with my suggestion above for print 
and other script-land stuff?

 Bro's ASCII logging facilities do not escape escape characters
 --

 Key: BIT-1333
 URL: https://bro-tracker.atlassian.net/browse/BIT-1333
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.3
Reporter: Paul Pearce
Assignee: Robin Sommer
 Fix For: 2.4


 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending 
 on the character 
 (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). 
 * Bro does not however escape \ or ^. 
 * This behavior makes recovering the original string impossible as you can 
 not differentiate between an escaped sequence and a string containing those 
 characters. 
 Examples: 
 $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }'
  foo \xc2\xae bar \xc2\xae baz
 $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }'
  foo\0bar\0baz
 $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }'
  foo ^N bar ^N baz
 Additionally, it would be ideal if there was a way to standardize escaping to 
 a single syntax (\x?? for all, for example). This would allow post-processing 
 of the bro logs in languages like Python or Ruby trivially using existing 
 decode/encode functionality. I'm happy to file a separate feature request for 
 this behavior, if that is preferred.
 I brought this up on the mailing list 
 (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). 
 It was suggested (off list) that I file a ticket as well.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20300#comment-20300
 ] 

Robin Sommer commented on BIT-1333:
---

I don't think this is quite right yet: we can't really generally escape 
backslashes on print. If we did, we'd get for example this:

{code}
# cat a.bro
event bro_init()
{
local a = abc\0def;
local b = escape_string(a);
print b;
}

# bro ./a.bro
abc\\x00def
{code}

I.e, the escape_string() inserts \x00, and then the print escapes that 
backslash.

What if we did the backslash escape only on special request, that is when 
calling escape_string() and simiarl functions? If one wants the reversible 
representation, one would then need to call such a function; whereas the 
semantics for a normal print would remain at make sure it doesn't output 
non-printable characters, without being reversible. 

 Bro's ASCII logging facilities do not escape escape characters
 --

 Key: BIT-1333
 URL: https://bro-tracker.atlassian.net/browse/BIT-1333
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.3
Reporter: Paul Pearce
Assignee: Robin Sommer
 Fix For: 2.4


 * Bro escapes non-printable ASCII characters with either \x?? or ^ depending 
 on the character 
 (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). 
 * Bro does not however escape \ or ^. 
 * This behavior makes recovering the original string impossible as you can 
 not differentiate between an escaped sequence and a string containing those 
 characters. 
 Examples: 
 $ bro -e 'event bro_init() { print foo \xc2\xae bar \\xc2\\xae baz; }'
  foo \xc2\xae bar \xc2\xae baz
 $ bro -e 'event bro_init() { print foo\x00bar\\0baz; }'
  foo\0bar\0baz
 $ bro -e 'event bro_init() { print foo \16 bar ^N baz; }'
  foo ^N bar ^N baz
 Additionally, it would be ideal if there was a way to standardize escaping to 
 a single syntax (\x?? for all, for example). This would allow post-processing 
 of the bro logs in languages like Python or Ruby trivially using existing 
 decode/encode functionality. I'm happy to file a separate feature request for 
 this behavior, if that is preferred.
 I brought this up on the mailing list 
 (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). 
 It was suggested (off list) that I file a ticket as well.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1306:
--
Resolution: Fixed
Status: Closed  (was: Open)

 bro process would get stuck/freeze with myricom drivers
 ---

 Key: BIT-1306
 URL: https://bro-tracker.atlassian.net/browse/BIT-1306
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
 Environment:  OS: FreeBSD 9.3-RELEASE-p5 OS
 bro version 2.3-328
 git log -1 --format=%H
 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f
Reporter: Aashish Sharma
Assignee: Robin Sommer
  Labels: bro-git, myricom
 Fix For: 2.4


 When I stop bro (in cluster mode), one of the bro worker process (random) 
 would get stuck and wouldn't shutdown, stop or even be killed using kill -s 
 9. 
 System has to be ultimately rebooted to remove stuck bro process. 
 On running  myri_start_stop I see:
 # /usr/local/opt/snf/sbin/myri_start_stop stop
 Removing myri_snf.ko
 kldunload: can't unload file: Device busy
 It appears that the myri_snf.ko driver cannot be unloaded because of the 
 stuck bro process.  That process still has an open descriptor on the Sniffer 
 device/driver and bro process freezes 
 More details:
 The bro process is stuck in RNE state
 R   Marks a runnable process.
 N   The process has reduced CPU scheduling priority (see setpriority(2)).
 E   The process is trying to exit.
 Here is an example:
 ### stuck process:
 [bro@01 ~]$ ps auxwww | fgrep 1616
 bro1616  100.0  0.0 758040 60480 ??  RNE   2:57PM   53:50.04 
 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p 
 local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro 
 broctl/auto
 when checking for process in proc:
 [bro@c ~]$ ls -l /proc/1616
 ls: /proc/1616: No such file or directory



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20261#comment-20261
 ] 

Robin Sommer commented on BIT-1306:
---

Thanks, Keith! Closing ticket.

 bro process would get stuck/freeze with myricom drivers
 ---

 Key: BIT-1306
 URL: https://bro-tracker.atlassian.net/browse/BIT-1306
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
 Environment:  OS: FreeBSD 9.3-RELEASE-p5 OS
 bro version 2.3-328
 git log -1 --format=%H
 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f
Reporter: Aashish Sharma
Assignee: Robin Sommer
  Labels: bro-git, myricom
 Fix For: 2.4


 When I stop bro (in cluster mode), one of the bro worker process (random) 
 would get stuck and wouldn't shutdown, stop or even be killed using kill -s 
 9. 
 System has to be ultimately rebooted to remove stuck bro process. 
 On running  myri_start_stop I see:
 # /usr/local/opt/snf/sbin/myri_start_stop stop
 Removing myri_snf.ko
 kldunload: can't unload file: Device busy
 It appears that the myri_snf.ko driver cannot be unloaded because of the 
 stuck bro process.  That process still has an open descriptor on the Sniffer 
 device/driver and bro process freezes 
 More details:
 The bro process is stuck in RNE state
 R   Marks a runnable process.
 N   The process has reduced CPU scheduling priority (see setpriority(2)).
 E   The process is trying to exit.
 Here is an example:
 ### stuck process:
 [bro@01 ~]$ ps auxwww | fgrep 1616
 bro1616  100.0  0.0 758040 60480 ??  RNE   2:57PM   53:50.04 
 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p 
 local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro 
 broctl/auto
 when checking for process in proc:
 [bro@c ~]$ ls -l /proc/1616
 ls: /proc/1616: No such file or directory



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1372) Clean up ---help

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1372:
--
Resolution: Fixed
Status: Closed  (was: In Progress)

 Clean up ---help
 

 Key: BIT-1372
 URL: https://bro-tracker.atlassian.net/browse/BIT-1372
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: Robin Sommer
Assignee: Robin Sommer
 Fix For: 2.4


 Remove netflow and DFA cache (plus dead code).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1356) Bro process sticks around after broctl stop

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20258#comment-20258
 ] 

Robin Sommer commented on BIT-1356:
---

Can somebody see if  0620bc97 helps?

 Bro process sticks around after broctl stop
 ---

 Key: BIT-1356
 URL: https://bro-tracker.atlassian.net/browse/BIT-1356
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
 Fix For: 2.4


 It seems that after running a broctl stop not all bro processes are killed 
 immediately. On our cluster, one of the processes keeps running; I seems like 
 it eventually terminates after all log-compression is done. Is that on 
 purpose or is that a bug?
 Ps output  (on the node running the manager, bro process in first line, 
 including the running compression jobs for completeness):
 {code}
 $ ps -ax | grep bro
 23353  -  IN   20:06.96 /xa/bro/master/bin/bro -U .status -p broctl -p 
 broctl-live -p local -p manager local.bro broctl base/frameworks/cluster 
 local-manager.bro broctl/auto
 24979  -  I 0:00.01 bash 
 /xa/bro/master/share/broctl/scripts/archive-log http.2015-03-25-14-40-30.log 
 http 15-03-25_14.40.30 15-03-25_16.29.29 1 ascii
 25047  -  I 0:00.01 bash 
 /xa/bro/master/share/broctl/scripts/archive-log conn.2015-03-25-14-40-30.log 
 conn 15-03-25_14.40.30 15-03-25_16.29.29 1 ascii
 25841  -  S 0:00.59 bash 
 /xa/bro/master/share/broctl/scripts/post-terminate 
 /xa/bro/master/spool/manager
 29204  0  D+0:00.00 grep bro
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1372) Clean up ---help

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1372:
--
Status: Reopened  (was: Closed)
Resolution: (was: Fixed)

 Clean up ---help
 

 Key: BIT-1372
 URL: https://bro-tracker.atlassian.net/browse/BIT-1372
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: Robin Sommer
Assignee: Robin Sommer
 Fix For: 2.4


 Remove netflow and DFA cache (plus dead code).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1372) Clean up ---help

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1372:
--
Status: In Progress  (was: Reopened)

 Clean up ---help
 

 Key: BIT-1372
 URL: https://bro-tracker.atlassian.net/browse/BIT-1372
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: Robin Sommer
Assignee: Robin Sommer
 Fix For: 2.4


 Remove netflow and DFA cache (plus dead code).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-844:


Assignee: Robin Sommer

 UDP payload signature patterns don't match packet-wise
 --

 Key: BIT-844
 URL: https://bro-tracker.atlassian.net/browse/BIT-844
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Jon Siwek
Assignee: Robin Sommer
Priority: Low
 Fix For: 2.4


 The docs say:
 {noformat}
 Regular expressions are implicitly anchored, i.e., they work as if prefixed 
 with the ^ operator. For reassembled TCP connections, they are anchored at 
 the first byte of the payload stream. For all other connections, they are 
 anchored at the first payload byte of each packet. To match at arbitrary 
 positions, you can prefix the regular expression with .*, as done in the 
 examples above.
 {noformat}
 But for a UDP connection made up of 2 packets with payloads ' and then 
 , I still need the .* prefix to match on the 2nd:
 {noformat}
 signature  {
  ip-proto = udp
  payload /.*/
  event Found 
 }
 {noformat}
 Changing the pattern to {{//}} or {{/^/}} results in no match (but 
 does match if I flip order of packets).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1361:
-

Assignee: Robin Sommer

 New installation of Bro crashes and core dumps with error indicating 
 ssh/binpac
 ---

 Key: BIT-1361
 URL: https://bro-tracker.atlassian.net/browse/BIT-1361
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.3
 Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core 
 cpus), capturing on one 100 meg mirrored switch port
Reporter: Ted Llewellyn
Assignee: Robin Sommer
  Labels: binpac, ssh
 Fix For: 2.4

 Attachments: bro-bt-033115.txt


 diag results:
 [BroControl]  diag
 [bro]
 Bro 2.3-633
 Linux 3.2.0-4-686-pae
 No gdb installed.
  No reporter.log
  stderr.log
 listening on eth1, capture length 8192 bytes
 bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int 
 binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, 
 binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion 
 `t_dataptr_after_cookie = t_end_of_data' failed.
 /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted  
(core dumped) nohup $mybro $@
  stdout.log
 max memory size (kbytes, -m) unlimited
 data seg size   (kbytes, -d) unlimited
 virtual memory  (kbytes, -v) unlimited
 core file size  (blocks, -c) unlimited
  .cmdline
 -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro 
 local.bro broctl broctl/standalone broctl/auto
  .env_vars
 PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site
 CLUSTER_NODE=
  .status
 RUNNING [net_run]
  No prof.log
  No packet_filter.log
  No loaded_scripts.log
 [BroControl] 



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1362:
--
Status: Closed  (was: Merge Request)

 topic/dnthayer/fixes-for-2.4
 

 Key: BIT-1362
 URL: https://bro-tracker.atlassian.net/browse/BIT-1362
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Daniel Thayer
Assignee: Justin Azoff
 Fix For: 2.4


 The branch topic/dnthayer/fixes-for-2.4 contains fixes that address
 BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes
 and improvements.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1364:
-

Assignee: Jon Siwek

 Bro does not attach UDP analyzers when signature matches after first packet
 ---

 Key: BIT-1364
 URL: https://bro-tracker.atlassian.net/browse/BIT-1364
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Jon Siwek
Priority: Low
 Fix For: 2.4

 Attachments: f1.pcap, f2.pcap


 At the moment, Bro only seems to attach UDP analyzers based on signatures, if 
 the very first UDP packet matches the signature. Even if later UDP packets 
 match the signature, the analyzer is not attached.
 The attachments contain a test case. f1.pcap contains a DTLS connection with 
 a few STUN packets that are sent first, which is not recognized as DTLS. 
 f2.pcap contains the same connection with the first few packets missing.
 It would probably be nice if one could at least opt to attach analyzers at a 
 later time too, if a signature matches. (I know that 2.4 is probably a bit 
 optimistic for this).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1355) Hitting crl+c in broctl gives ugly output

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20223#comment-20223
 ] 

Robin Sommer commented on BIT-1355:
---

Part of BIT-1362.

 Hitting crl+c in broctl gives ugly output
 -

 Key: BIT-1355
 URL: https://bro-tracker.atlassian.net/browse/BIT-1355
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
 Fix For: 2.4


 Hitting ctrl+c in broctl results in an ugly stack-trace at the moment:
 {code}
 $ broctl
 warning: new bro version detected (run the broctl deploy command)
 Welcome to BroControl 1.3-162
 Type help for help.
 [BroControl]  Traceback (most recent call last):
   File /xa/bro/master/bin/broctl, line 777, in module
 sys.exit(main())
   File /xa/bro/master/bin/broctl, line 772, in main
 cmdsuccess = loop.cmdloop(\nWelcome to BroControl %s\n\nType \help\ 
 for help.\n % version.VERSION)
   File /xa/bro/master/lib/broctl/BroControl/brocmd.py, line 36, in cmdloop
 line = py3bro.input(self.prompt)
 KeyboardInterrupt
 $
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1355) Hitting crl+c in broctl gives ugly output

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1355:
--
Resolution: Fixed
Status: Closed  (was: Open)

 Hitting crl+c in broctl gives ugly output
 -

 Key: BIT-1355
 URL: https://bro-tracker.atlassian.net/browse/BIT-1355
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
 Fix For: 2.4


 Hitting ctrl+c in broctl results in an ugly stack-trace at the moment:
 {code}
 $ broctl
 warning: new bro version detected (run the broctl deploy command)
 Welcome to BroControl 1.3-162
 Type help for help.
 [BroControl]  Traceback (most recent call last):
   File /xa/bro/master/bin/broctl, line 777, in module
 sys.exit(main())
   File /xa/bro/master/bin/broctl, line 772, in main
 cmdsuccess = loop.cmdloop(\nWelcome to BroControl %s\n\nType \help\ 
 for help.\n % version.VERSION)
   File /xa/bro/master/lib/broctl/BroControl/brocmd.py, line 36, in cmdloop
 line = py3bro.input(self.prompt)
 KeyboardInterrupt
 $
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20228#comment-20228
 ] 

Robin Sommer commented on BIT-1329:
---

Fixed in BIT-1362.

 BroControl scripts displays meta-information from bro logger
 

 Key: BIT-1329
 URL: https://bro-tracker.atlassian.net/browse/BIT-1329
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
 Fix For: 2.4


 When issuing a broctl scripts, the output contains meta bro-log-lines (like 
 #fields, etc) that we probably do not want to display in this case.
 Example:
 {code}
 [BroControl]  scripts manager
 manager scripts are ok.
   #separator \x09
   #set_separator  ,
   #empty_field(empty)
   #unset_field-
   #path   loaded_scripts
   #open   2015-03-05-13-24-34
   #fields name
   #types  string
   /xa/bro/master/share/bro/base/init-bare.bro
 /xa/bro/master/share/bro/base/bif/const.bif.bro
 ...
   /xa/bro/master/share/bro/broctl/check.bro
   #close  2015-03-05-13-24-34
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-631) Special message for broctl locking when done by cron

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-631:
-
Resolution: Fixed
Status: Closed  (was: Open)

 Special message for broctl locking when done by cron
 

 Key: BIT-631
 URL: https://bro-tracker.atlassian.net/browse/BIT-631
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: BroControl
Reporter: Seth Hall
Assignee: Daniel Thayer
 Fix For: 2.4


 If the broctl lock is being held by the cron command it would be nice if the 
 message that indicates a lock is already held would indicate if it is the 
 cron command.  If multiple people are working with broctl the person that 
 gets a lock doesn't know if it's because of another user or because they 
 happened to be trying to do something while the cron command is running.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-931) Ascii writer does not escape empty sets / vectors

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-931?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-931:
-
Fix Version/s: (was: 2.4)
   2.5

 Ascii writer does not escape empty sets / vectors
 -

 Key: BIT-931
 URL: https://bro-tracker.atlassian.net/browse/BIT-931
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Seth Hall
 Fix For: 2.5


 The script
 {noformat}
 redef LogAscii::empty_field = EMPTY;
 module SSH;
 export {
   redef enum Log::ID += { LOG };
   type Log: record {
   ss: set[string];
   } log;
 }
 event bro_init()
 {
   Log::create_stream(SSH::LOG, [$columns=Log]);
   Log::write(SSH::LOG, [
   $ss=set(EMPTY)
   ]);
 }
 {noformat}
 Outputs the line
 {noformat}
 EMPTY
 {noformat} 
 to a log-file. This makes it impossible to distinguish a line containing 
 EMPTY from a line containing an empty set.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1367) Type clashing problem when records with default values are used in sets.

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1367:
-

Assignee: Robin Sommer

 Type clashing problem when records with default values are used in sets.
 

 Key: BIT-1367
 URL: https://bro-tracker.atlassian.net/browse/BIT-1367
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Robin Sommer
  Labels: logging
 Fix For: 2.4


 topic/johanna/sft-port is a branch that contains a slight modification to the 
 sftp log-rotator, adding the possibility to select the server port with a 
 default value of 20.
 After adding this small change, the Bro type system is no longer able to 
 figure out that it can coerce the record in cases that previously worked. The 
 default evocation of the sftp log-rotator using:
 {code}
 Log::add_filter(Conn::LOG, [$name=test, $path=testconn, 
 $writer=Log::WRITER_ASCII,
   $interv=1hr, $postprocessor=Log::sftp_postprocessor]);
   Log::sftp_destinations[Log::WRITER_ASCII,testconn] = 
 set([$user=testuser,$host=testhost,$path=testpath]);
 {code}
 or similar leads to
 {code}
 type clash in assignment (Log::sftp_destinations[Log::WRITER_ASCII, testconn] 
 = set([$user=testuser, $host=testhost, $path=testpath]))
 {code}
 Directly specifying the type of the record works, but would break all other 
 scripts that are using the sftp log rotator currently.
 Working example:
 {code}
 Log::add_filter(Conn::LOG, [$name=test, $path=testconn, 
 $writer=Log::WRITER_ASCII,
   $interv=1hr, $postprocessor=Log::sftp_postprocessor]);
   Log::sftp_destinations[Log::WRITER_ASCII,testconn] = 
 set(Log::SFTPDestination($user=testuser,$host=testhost,$path=testpath));
 {code}
 Once this is fixed, topic/johanna/sft-port can be merged.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1367) Type clashing problem when records with default values are used in sets.

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1367:
-

Assignee: Jon Siwek  (was: Robin Sommer)

 Type clashing problem when records with default values are used in sets.
 

 Key: BIT-1367
 URL: https://bro-tracker.atlassian.net/browse/BIT-1367
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Jon Siwek
  Labels: logging
 Fix For: 2.4


 topic/johanna/sft-port is a branch that contains a slight modification to the 
 sftp log-rotator, adding the possibility to select the server port with a 
 default value of 20.
 After adding this small change, the Bro type system is no longer able to 
 figure out that it can coerce the record in cases that previously worked. The 
 default evocation of the sftp log-rotator using:
 {code}
 Log::add_filter(Conn::LOG, [$name=test, $path=testconn, 
 $writer=Log::WRITER_ASCII,
   $interv=1hr, $postprocessor=Log::sftp_postprocessor]);
   Log::sftp_destinations[Log::WRITER_ASCII,testconn] = 
 set([$user=testuser,$host=testhost,$path=testpath]);
 {code}
 or similar leads to
 {code}
 type clash in assignment (Log::sftp_destinations[Log::WRITER_ASCII, testconn] 
 = set([$user=testuser, $host=testhost, $path=testpath]))
 {code}
 Directly specifying the type of the record works, but would break all other 
 scripts that are using the sftp log rotator currently.
 Working example:
 {code}
 Log::add_filter(Conn::LOG, [$name=test, $path=testconn, 
 $writer=Log::WRITER_ASCII,
   $interv=1hr, $postprocessor=Log::sftp_postprocessor]);
   Log::sftp_destinations[Log::WRITER_ASCII,testconn] = 
 set(Log::SFTPDestination($user=testuser,$host=testhost,$path=testpath));
 {code}
 Once this is fixed, topic/johanna/sft-port can be merged.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1360) Better error message when SpoolDir does not exist

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20221#comment-20221
 ] 

Robin Sommer commented on BIT-1360:
---

Included in BIT-1362

 Better error message when SpoolDir does not exist
 -

 Key: BIT-1360
 URL: https://bro-tracker.atlassian.net/browse/BIT-1360
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
Priority: Low
 Fix For: 2.4


 Currently, the error message that is given when SpoolDir in broctl.cfg does 
 not exist is rather unhelpful (something in the direction of Cannot open 
 database.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1342) Occasional test failures

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1342:
-

Assignee: Daniel Thayer

 Occasional test failures
 

 Key: BIT-1342
 URL: https://bro-tracker.atlassian.net/browse/BIT-1342
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Robin Sommer
Assignee: Daniel Thayer
 Fix For: 2.4


 Two tests in current master fail for me occasionally (usually when I run the 
 full broctl test-suite but not when I rerun just these failing tests). Diag 
 output below.
 {code}
 command.start-stop-standalone ... failed
   % 'btest-diff stop.out' failed unexpectedly (exit code 1)
   % cat .diag
   == File ===
   stopping bro ...
   Exception in thread Thread-1 (most likely raised during interpreter 
 shutdown):
   Traceback (most recent call last):
   File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner
   File 
 /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
  line
   File 
 /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
  line
   File /usr/lib64/python2.7/Queue.py, line 177, in get
   File /usr/lib64/python2.7/threading.py, line 354, in wait
   type 'exceptions.TypeError': 'NoneType' object is not callable
   == Diff ===
   --- 
 /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-stop-standalone/stop.out
  2013-06-01 00:29:07.
   +++ stop.out  2015-03-17 22:50:01.857838625 +
   @@ -1 +1,9 @@
   stopping bro ...
   +Exception in thread Thread-1 (most likely raised during interpreter 
 shutdown):
   +Traceback (most recent call last):
   +  File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner
   +  File 
 /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
  l
   +  File 
 /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
  l
   +  File /usr/lib64/python2.7/Queue.py, line 177, in get
   +  File /usr/lib64/python2.7/threading.py, line 354, in wait
   +type 'exceptions.TypeError': 'NoneType' object is not callable
   ===
 [...]
 command.start-cluster-slowstart ... failed
   % 'btest-diff status2.out' failed unexpectedly (exit code 1)
   % cat .diag
   == File ===
   Getting process status ...
   Getting peer status ...
   Name TypeHost StatusPidPeers  Started
   manager  manager localhoststopped
   proxy-1  proxy   localhoststopped
   worker-1 worker  localhoststopped
   worker-2 worker  localhoststopped
   == Diff ===
   --- 
 /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-cluster-slowstart/status2.out
 2015-03-04 20:16
   +++ status2.out   2015-03-17 22:50:26.578618684 +
   @@ -3,5 +3,5 @@
   Name TypeHost StatusPidPeers  Started
   manager  manager localhoststopped
   proxy-1  proxy   localhoststopped
   -worker-1 worker  localhostcrashed
   +worker-1 worker  localhoststopped
   worker-2 worker  localhoststopped
   ===
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1336:
-

Assignee: Seth Hall

 ElasticSearch indices in UTC
 

 Key: BIT-1336
 URL: https://bro-tracker.atlassian.net/browse/BIT-1336
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: 2.4
Reporter: Vlad Grigorescu
Assignee: Seth Hall
Priority: Trivial
 Fix For: 2.4


 For improved compatibility with Kibana and other ElasticSearch frontends, the 
 timestamps on the Bro indices should be changed to UTC.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1329:
--
Resolution: Fixed
Status: Closed  (was: Reopened)

 BroControl scripts displays meta-information from bro logger
 

 Key: BIT-1329
 URL: https://bro-tracker.atlassian.net/browse/BIT-1329
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
 Fix For: 2.4


 When issuing a broctl scripts, the output contains meta bro-log-lines (like 
 #fields, etc) that we probably do not want to display in this case.
 Example:
 {code}
 [BroControl]  scripts manager
 manager scripts are ok.
   #separator \x09
   #set_separator  ,
   #empty_field(empty)
   #unset_field-
   #path   loaded_scripts
   #open   2015-03-05-13-24-34
   #fields name
   #types  string
   /xa/bro/master/share/bro/base/init-bare.bro
 /xa/bro/master/share/bro/base/bif/const.bif.bro
 ...
   /xa/bro/master/share/bro/broctl/check.bro
   #close  2015-03-05-13-24-34
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1364:
--
Priority: Low  (was: Normal)

 Bro does not attach UDP analyzers when signature matches after first packet
 ---

 Key: BIT-1364
 URL: https://bro-tracker.atlassian.net/browse/BIT-1364
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Priority: Low
 Fix For: 2.4

 Attachments: f1.pcap, f2.pcap


 At the moment, Bro only seems to attach UDP analyzers based on signatures, if 
 the very first UDP packet matches the signature. Even if later UDP packets 
 match the signature, the analyzer is not attached.
 The attachments contain a test case. f1.pcap contains a DTLS connection with 
 a few STUN packets that are sent first, which is not recognized as DTLS. 
 f2.pcap contains the same connection with the first few packets missing.
 It would probably be nice if one could at least opt to attach analyzers at a 
 later time too, if a signature matches. (I know that 2.4 is probably a bit 
 optimistic for this).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20226#comment-20226
 ] 

Robin Sommer commented on BIT-1339:
---

Turns out this needs more discussion, as the right solution isn't quite clear 
yet.

 Remove src and dst from notice
 --

 Key: BIT-1339
 URL: https://bro-tracker.atlassian.net/browse/BIT-1339
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Seth Hall
Assignee: Seth Hall
 Fix For: 2.5


 Email from Brian Kellog...
 Related to this, I'm planning on deprecating $src and $dst from notices and 
 removing their use from all shipped Bro scripts.
 {quote}
 I'm going through and updating the NOTICEs for different detection scripts 
 built into Bro.  Trying to get the generated NOTICE logs set correctly for 
 ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
 appropriate way.  Couple questions:
 Is this the best way to accomplish this task?  Secondly, if advisable, how do 
 we get these script changes incorporated into Bro base?  I'm not that 
 experienced with git but willing to learn more if needed.  These changes were 
 made, again, to benefit ELSA searching/grouping and for the Bro correlation 
 script recently released.
 Here's what I changed/add to some of the built-in detection scripts (Lines 
 with + are what I changed/added):
 /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
 NOTICE([$note=Password_Guessing,
$msg=fmt(%s appears to be guessing SSH passwords (seen in %d 
 connections)., key$host, r$num),
$sub=sub_msg,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
 NOTICE([$note=FTP::Bruteforcing,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
 NOTICE([$note=SQL_Injection_Attacker,
$msg=An SQL injection attacker was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=SQL_Injection_Victim,
$msg=An SQL injection victim was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/scan.bro
 NOTICE([$note=Address_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
 +   #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=Port_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
 +   #$dst=to_addr(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
 NOTICE([$note=Traceroute::Detected,
$msg=fmt(%s seems to be running traceroute using %s, src, 
 proto),
 +   #$src=src,
 +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
$identifier=cat(src,proto)]);
 }]);
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1339:
--
Fix Version/s: (was: 2.4)
   2.5

 Remove src and dst from notice
 --

 Key: BIT-1339
 URL: https://bro-tracker.atlassian.net/browse/BIT-1339
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Seth Hall
Assignee: Seth Hall
 Fix For: 2.5


 Email from Brian Kellog...
 Related to this, I'm planning on deprecating $src and $dst from notices and 
 removing their use from all shipped Bro scripts.
 {quote}
 I'm going through and updating the NOTICEs for different detection scripts 
 built into Bro.  Trying to get the generated NOTICE logs set correctly for 
 ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
 appropriate way.  Couple questions:
 Is this the best way to accomplish this task?  Secondly, if advisable, how do 
 we get these script changes incorporated into Bro base?  I'm not that 
 experienced with git but willing to learn more if needed.  These changes were 
 made, again, to benefit ELSA searching/grouping and for the Bro correlation 
 script recently released.
 Here's what I changed/add to some of the built-in detection scripts (Lines 
 with + are what I changed/added):
 /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
 NOTICE([$note=Password_Guessing,
$msg=fmt(%s appears to be guessing SSH passwords (seen in %d 
 connections)., key$host, r$num),
$sub=sub_msg,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
 NOTICE([$note=FTP::Bruteforcing,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
 NOTICE([$note=SQL_Injection_Attacker,
$msg=An SQL injection attacker was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=SQL_Injection_Victim,
$msg=An SQL injection victim was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/scan.bro
 NOTICE([$note=Address_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
 +   #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=Port_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
 +   #$dst=to_addr(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
 NOTICE([$note=Traceroute::Detected,
$msg=fmt(%s seems to be running traceroute using %s, src, 
 proto),
 +   #$src=src,
 +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
$identifier=cat(src,proto)]);
 }]);
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1368) File type identification fixes

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1368:
--
Fix Version/s: 2.4

 File type identification fixes
 --

 Key: BIT-1368
 URL: https://bro-tracker.atlassian.net/browse/BIT-1368
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.4
Reporter: Seth Hall
Assignee: Seth Hall
 Fix For: 2.4


 I have some changes nearly queued up for 2.4 release in the repository 
 (topic/seth/more-file-type-ident-fixes) in the but a bit more work needs to 
 be done.
 There may be one more breaking change to the files api coming in this branch 
 too.  Jon and I discussed some options and I think that creating a new event 
 named file_sniff in place of the file_mime_type event makes sense.  We can 
 put the mime type and more sniff originated data in a record on that event 
 so that we can extend it cleanly (and without breaking APIs) in the future.  
 I think it will look something like this:
 ```
 type fa_sniff: record {
 ## Depth sniffed.
 depth: count default=0;
 ## Sniffed mime type if one was discovered.
 mime_type: string optional;
 };
 event file_sniff(f: fa_file, sniff: fa_sniff)
 {
 if ( sniff?$mime_type )
 {
 print sniff$mime_type;
 }
 }
 ```
 One other thing this branch will address is a performance degradation from 
 certain file signatures interacting with each other poorly.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1365:
-

Assignee: Vlad Grigorescu

 direction field of SSH::Info no longer populated
 

 Key: BIT-1365
 URL: https://bro-tracker.atlassian.net/browse/BIT-1365
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Jon Siwek
Assignee: Vlad Grigorescu
 Fix For: 2.4


 Here's the bug report:
 {quote}
 Reporter::ERROR   field value missing
 [SSH::c$ssh$direction]
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-da
 ta.bro, line 29
 Reporter::WARNING non-void function returns without a value:
 SSH::get_location (empty)
 Tracing this back, it looks like the SSH::c$ssh$direction is not being
 populated. I checked the /base/protocols/ssh/main.bro file and it looks
 like the function is missing.
 Looking at https://www.bro.org/sphinx/_downloads/main32.bro and
 https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro
 it looks like the function that determined the direction was removed at
 one point, which looks like it causes the
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1360) Better error message when SpoolDir does not exist

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1360:
--
Resolution: Fixed
Status: Closed  (was: Open)

 Better error message when SpoolDir does not exist
 -

 Key: BIT-1360
 URL: https://bro-tracker.atlassian.net/browse/BIT-1360
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
Priority: Low
 Fix For: 2.4


 Currently, the error message that is given when SpoolDir in broctl.cfg does 
 not exist is rather unhelpful (something in the direction of Cannot open 
 database.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1349) Broctl stop output is not sorted anymore

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20225#comment-20225
 ] 

Robin Sommer commented on BIT-1349:
---

Fixed in BIT-1362.

 Broctl stop output is not sorted anymore
 

 Key: BIT-1349
 URL: https://bro-tracker.atlassian.net/browse/BIT-1349
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
Priority: Trivial
 Fix For: 2.4


 Minor: the output of the worker nodes when doing broctl stop is not sorted 
 anymore. We should either sort it (or just skip outputting it altogether) - 
 at the moment it is not really useful; if there is no numerical order it is 
 difficult to see if a number one wants to have in there is missing or not.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1339:
-

Assignee: (was: Seth Hall)

 Remove src and dst from notice
 --

 Key: BIT-1339
 URL: https://bro-tracker.atlassian.net/browse/BIT-1339
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Seth Hall
 Fix For: 2.5


 Email from Brian Kellog...
 Related to this, I'm planning on deprecating $src and $dst from notices and 
 removing their use from all shipped Bro scripts.
 {quote}
 I'm going through and updating the NOTICEs for different detection scripts 
 built into Bro.  Trying to get the generated NOTICE logs set correctly for 
 ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
 appropriate way.  Couple questions:
 Is this the best way to accomplish this task?  Secondly, if advisable, how do 
 we get these script changes incorporated into Bro base?  I'm not that 
 experienced with git but willing to learn more if needed.  These changes were 
 made, again, to benefit ELSA searching/grouping and for the Bro correlation 
 script recently released.
 Here's what I changed/add to some of the built-in detection scripts (Lines 
 with + are what I changed/added):
 /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
 NOTICE([$note=Password_Guessing,
$msg=fmt(%s appears to be guessing SSH passwords (seen in %d 
 connections)., key$host, r$num),
$sub=sub_msg,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
 NOTICE([$note=FTP::Bruteforcing,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
 NOTICE([$note=SQL_Injection_Attacker,
$msg=An SQL injection attacker was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=SQL_Injection_Victim,
$msg=An SQL injection victim was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/scan.bro
 NOTICE([$note=Address_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
 +   #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=Port_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
 +   #$dst=to_addr(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
 NOTICE([$note=Traceroute::Detected,
$msg=fmt(%s seems to be running traceroute using %s, src, 
 proto),
 +   #$src=src,
 +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
$identifier=cat(src,proto)]);
 }]);
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20230#comment-20230
 ] 

Robin Sommer commented on BIT-1306:
---

Check the change.

 bro process would get stuck/freeze with myricom drivers
 ---

 Key: BIT-1306
 URL: https://bro-tracker.atlassian.net/browse/BIT-1306
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
 Environment:  OS: FreeBSD 9.3-RELEASE-p5 OS
 bro version 2.3-328
 git log -1 --format=%H
 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f
Reporter: Aashish Sharma
  Labels: bro-git, myricom
 Fix For: 2.4


 When I stop bro (in cluster mode), one of the bro worker process (random) 
 would get stuck and wouldn't shutdown, stop or even be killed using kill -s 
 9. 
 System has to be ultimately rebooted to remove stuck bro process. 
 On running  myri_start_stop I see:
 # /usr/local/opt/snf/sbin/myri_start_stop stop
 Removing myri_snf.ko
 kldunload: can't unload file: Device busy
 It appears that the myri_snf.ko driver cannot be unloaded because of the 
 stuck bro process.  That process still has an open descriptor on the Sniffer 
 device/driver and bro process freezes 
 More details:
 The bro process is stuck in RNE state
 R   Marks a runnable process.
 N   The process has reduced CPU scheduling priority (see setpriority(2)).
 E   The process is trying to exit.
 Here is an example:
 ### stuck process:
 [bro@01 ~]$ ps auxwww | fgrep 1616
 bro1616  100.0  0.0 758040 60480 ??  RNE   2:57PM   53:50.04 
 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p 
 local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro 
 broctl/auto
 when checking for process in proc:
 [bro@c ~]$ ls -l /proc/1616
 ls: /proc/1616: No such file or directory



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1306:
-

Assignee: Robin Sommer

 bro process would get stuck/freeze with myricom drivers
 ---

 Key: BIT-1306
 URL: https://bro-tracker.atlassian.net/browse/BIT-1306
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
 Environment:  OS: FreeBSD 9.3-RELEASE-p5 OS
 bro version 2.3-328
 git log -1 --format=%H
 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f
Reporter: Aashish Sharma
Assignee: Robin Sommer
  Labels: bro-git, myricom
 Fix For: 2.4


 When I stop bro (in cluster mode), one of the bro worker process (random) 
 would get stuck and wouldn't shutdown, stop or even be killed using kill -s 
 9. 
 System has to be ultimately rebooted to remove stuck bro process. 
 On running  myri_start_stop I see:
 # /usr/local/opt/snf/sbin/myri_start_stop stop
 Removing myri_snf.ko
 kldunload: can't unload file: Device busy
 It appears that the myri_snf.ko driver cannot be unloaded because of the 
 stuck bro process.  That process still has an open descriptor on the Sniffer 
 device/driver and bro process freezes 
 More details:
 The bro process is stuck in RNE state
 R   Marks a runnable process.
 N   The process has reduced CPU scheduling priority (see setpriority(2)).
 E   The process is trying to exit.
 Here is an example:
 ### stuck process:
 [bro@01 ~]$ ps auxwww | fgrep 1616
 bro1616  100.0  0.0 758040 60480 ??  RNE   2:57PM   53:50.04 
 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p 
 local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro 
 broctl/auto
 when checking for process in proc:
 [bro@c ~]$ ls -l /proc/1616
 ls: /proc/1616: No such file or directory



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1331:
--
Priority: Normal  (was: Low)

 Bro manager crashes when logs rotate
 

 Key: BIT-1331
 URL: https://bro-tracker.atlassian.net/browse/BIT-1331
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master, 2.4
 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method
Reporter: Josh Liburdi
 Fix For: 2.4


 The Bro manager crashes when the logs rotate. Workers run fine through this 
 process. 
 stderr.log output:
 internal error: finish missing
 /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted 
 (core dumped) nohup $mybro $@
 send-mail: SENDMAIL-NOTFOUND not found



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-947) Incorrect size calculation for SSH failed/successful heuristic

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-947:
-
Resolution: Fixed
Status: Closed  (was: Open)

 Incorrect size calculation for SSH failed/successful heuristic
 --

 Key: BIT-947
 URL: https://bro-tracker.atlassian.net/browse/BIT-947
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Vlad Grigorescu
Priority: Low
 Fix For: 2.4


 We're getting a lot of false positives for successful SSH logins from a 
 source that we recently blackholed. I suspect what's happening is that the 
 retransmissions keep bumping up the size of the connection, until it crosses 
 the threshold for a successful connection. 
 With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it 
 possible to improve the accuracy of the reported size?



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-947) Incorrect size calculation for SSH failed/successful heuristic

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20232#comment-20232
 ] 

Robin Sommer commented on BIT-947:
--

Should be fixed with new SSH code.

 Incorrect size calculation for SSH failed/successful heuristic
 --

 Key: BIT-947
 URL: https://bro-tracker.atlassian.net/browse/BIT-947
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Vlad Grigorescu
Priority: Low
 Fix For: 2.4


 We're getting a lot of false positives for successful SSH logins from a 
 source that we recently blackholed. I suspect what's happening is that the 
 retransmissions keep bumping up the size of the connection, until it crosses 
 the threshold for a successful connection. 
 With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it 
 possible to improve the accuracy of the reported size?



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1365:
--
Priority: Low  (was: Normal)

 direction field of SSH::Info no longer populated
 

 Key: BIT-1365
 URL: https://bro-tracker.atlassian.net/browse/BIT-1365
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Jon Siwek
Assignee: Vlad Grigorescu
Priority: Low
 Fix For: 2.4


 Here's the bug report:
 {quote}
 Reporter::ERROR   field value missing
 [SSH::c$ssh$direction]
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-da
 ta.bro, line 29
 Reporter::WARNING non-void function returns without a value:
 SSH::get_location (empty)
 Tracing this back, it looks like the SSH::c$ssh$direction is not being
 populated. I checked the /base/protocols/ssh/main.bro file and it looks
 like the function is missing.
 Looking at https://www.bro.org/sphinx/_downloads/main32.bro and
 https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro
 it looks like the function that determined the direction was removed at
 one point, which looks like it causes the
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1365:
--
Priority: Normal  (was: Low)

 direction field of SSH::Info no longer populated
 

 Key: BIT-1365
 URL: https://bro-tracker.atlassian.net/browse/BIT-1365
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Jon Siwek
Assignee: Vlad Grigorescu
 Fix For: 2.4


 Here's the bug report:
 {quote}
 Reporter::ERROR   field value missing
 [SSH::c$ssh$direction]
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-da
 ta.bro, line 29
 Reporter::WARNING non-void function returns without a value:
 SSH::get_location (empty)
 Tracing this back, it looks like the SSH::c$ssh$direction is not being
 populated. I checked the /base/protocols/ssh/main.bro file and it looks
 like the function is missing.
 Looking at https://www.bro.org/sphinx/_downloads/main32.bro and
 https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro
 it looks like the function that determined the direction was removed at
 one point, which looks like it causes the
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20224#comment-20224
 ] 

Robin Sommer commented on BIT-1353:
---

set timeout to 30s and make configurable, revisit later when Broker is there

 BroCtl status/top take excessive amount of time
 ---

 Key: BIT-1353
 URL: https://bro-tracker.atlassian.net/browse/BIT-1353
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
 Fix For: 2.4


 After running a large bro cluster for a few days on a FreeBSD system (FreeBSD 
 10.1, 28 physical nodes, 81 worker processes), broctl actions that interact 
 with all nodes seem to take excessive amounts of time (2 minutes for a 
 broctl status). This was not the case right after starting up the cluster.
 If there is any way I can help with more information, please let me know what 
 to do.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1331:
--
Priority: Low  (was: High)

 Bro manager crashes when logs rotate
 

 Key: BIT-1331
 URL: https://bro-tracker.atlassian.net/browse/BIT-1331
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master, 2.4
 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method
Reporter: Josh Liburdi
Priority: Low
 Fix For: 2.4


 The Bro manager crashes when the logs rotate. Workers run fine through this 
 process. 
 stderr.log output:
 internal error: finish missing
 /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted 
 (core dumped) nohup $mybro $@
 send-mail: SENDMAIL-NOTFOUND not found



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error'

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1337:
-

Assignee: Vlad Grigorescu

 Bro worker crash - terminate after 'std::length_error'
 --

 Key: BIT-1337
 URL: https://bro-tracker.atlassian.net/browse/BIT-1337
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Josh Liburdi
Assignee: Vlad Grigorescu
 Fix For: 2.4


 Running Bro master with the Kerberos and RDP analyzer branches resulted in 
 one crashed worker on a pf_ring cluster. BroControl diag results below:
 terminate called after throwing an instance of 'std::length_error'
 what():  basic_string::_S_create
 /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted  
(core dumped) nohup $mybro $@



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error'

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20227#comment-20227
 ] 

Robin Sommer commented on BIT-1337:
---

Let's do a quick sanity check of the code.

 Bro worker crash - terminate after 'std::length_error'
 --

 Key: BIT-1337
 URL: https://bro-tracker.atlassian.net/browse/BIT-1337
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Josh Liburdi
 Fix For: 2.4


 Running Bro master with the Kerberos and RDP analyzer branches resulted in 
 one crashed worker on a pf_ring cluster. BroControl diag results below:
 terminate called after throwing an instance of 'std::length_error'
 what():  basic_string::_S_create
 /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted  
(core dumped) nohup $mybro $@



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1154) Formatters restructed in: topic/seth/json-formatter

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1154:
-

Assignee: Seth Hall

 Formatters restructed in: topic/seth/json-formatter
 ---

 Key: BIT-1154
 URL: https://bro-tracker.atlassian.net/browse/BIT-1154
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: 2.4
Reporter: Seth Hall
Assignee: Seth Hall
 Fix For: 2.4


 topic/seth/json-formatter has an abstraction for Formatters and I created a 
 formatters directory under threading.  There is also a new JSON formatter and 
 support in the Ascii and ElasticSearch writers for the JSON formatter.
 I went ahead and threw in per-filter configuration options for the Ascii 
 writer for all of the options that were exposed globally too.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1263:
--
Fix Version/s: (was: 2.4)
   2.5

 Implementing three event handlers for supported data structure in Modbus 
 Analyzer
 -

 Key: BIT-1263
 URL: https://bro-tracker.atlassian.net/browse/BIT-1263
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Reporter: hui
Priority: Low
  Labels: analyzer, modbus
 Fix For: 2.5


 Three support data structures are defined in Modbus analyzer:
 FileRecordRequest,
 FileRecordResponse,
 ReferenceWithData
 Three event handlers are declared for them. 
 The changes are already made and pushed into the branch:
 topic/hui/modbus-events2



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1345) Crash due to a bad dictionary insert

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1345:
-

Assignee: Jon Siwek

 Crash due to a bad dictionary insert
 

 Key: BIT-1345
 URL: https://bro-tracker.atlassian.net/browse/BIT-1345
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: Aaron Eppert
Assignee: Jon Siwek
Priority: High
 Fix For: 2.4


 #0  0x00713b87 in Dictionary::Insert (this=0x1339840, 
 new_entry=0xb18a9d0, copy_key=0) at /root/redacted/bro/src/Dict.cc:419
 #1  0x007130b0 in Dictionary::Insert (this=0x1339840, key=0xa23f6d0, 
 key_size=36, hash=658668102, val=0x67fde40, copy_key=0) at 
 /root/redacted/bro/src/Dict.cc:158
 #2  0x006cb508 in Dictionary::Insert (this=0x1339840, 
 key=0x74ba81b0, val=0x67fde40) at /root/redacted/bro/src/Dict.h:47
 #3  0x0077ee9b in IDPDict::Insert (this=0x1339840, key=0xebf780 
 #redacted-redacted.redacted.redacted#21703#1182, val=0x67fde40) at 
 /root/redacted/bro/src/Scope.h:18
 #4  0x0077ef05 in Scope::Insert (this=0x133a8b0, name=0xebf780 
 #redacted-redacted.redacted.redacted#21703#1182, id=0x67fde40) at 
 /root/redacted/bro/src/Scope.h:26
 #5  0x008010cc in MutableVal::Bind (this=0x14f451f0) at 
 /root/redacted/bro/src/Val.cc:624
 #6  0x00800ec8 in MutableVal::AddProperties (this=0x14f451f0, 
 arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:558
 #7  0x0080a8d6 in RecordVal::AddProperties (this=0x14f451f0, 
 arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:2866
 #8  0x00805948 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, 
 k=0x0, new_val=0x14f451f0, op=OP_ASSIGN) at 
 /root/redacted/bro/src/Val.cc:1502
 #9  0x00805501 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, 
 new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1442
 #10 0x00738b13 in IndexExpr::Assign (this=0x2087350, f=0x12073280, 
 v=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:3135
 #11 0x007362a2 in RefExpr::Assign (this=0x2087540, f=0x12073280, 
 v=0x14f451f0, opcode=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:2463
 #12 0x007370ea in AssignExpr::Eval (this=0x20874d0, f=0x12073280) at 
 /root/redacted/bro/src/Expr.cc:2673
 #13 0x007e22bb in ExprStmt::Exec (this=0x2087660, f=0x12073280, 
 flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:369
 #14 0x007e8375 in StmtList::Exec (this=0x2082c80, f=0x12073280, 
 flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:1764
 #15 0x0074e6cd in BroFunc::Call (this=0x2087e70, args=0x13525bb0, 
 parent=0x0) at /root/redacted/bro/src/Func.cc:386
 #16 0x00725883 in EventHandler::Call (this=0x2082160, vl=0x13525bb0, 
 no_remote=false) at /root/redacted/bro/src/EventHandler.cc:80
 #17 0x006d8cc2 in Event::Dispatch (this=0x620e610, no_remote=false) 
 at /root/redacted/bro/src/Event.h:50
 #18 0x00724ef7 in EventMgr::Dispatch (this=0xebd400) at 
 /root/redacted/bro/src/Event.cc:111
 #19 0x00725032 in EventMgr::Drain (this=0xebd400) at 
 /root/redacted/bro/src/Event.cc:128
 #20 0x00788828 in net_packet_dispatch (t=1426626559.98401, 
 hdr=0x3314d40, pkt=0x7f14a8b464cc Address 0x7f14a8b464cc out of bounds, 
 hdr_size=14, src_ps=0x3314c00)
 at /root/redacted/bro/src/Net.cc:278
 #21 0x00a786d5 in iosource::PktSrc::Process (this=0x3314c00) at 
 /root/redacted/bro/src/iosource/PktSrc.cc:411
 #22 0x007889f8 in net_run () at /root/redacted/bro/src/Net.cc:320
 #23 0x006d8157 in main (argc=20, argv=0x74ba9188) at 
 /root/redacted/bro/src/main.cc:1200



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1352) Certificate validation script does not deal well with root-certs being sent by server

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1352:
--
Fix Version/s: (was: 2.4)
   2.5

 Certificate validation script does not deal well with root-certs being sent 
 by server
 -

 Key: BIT-1352
 URL: https://bro-tracker.atlassian.net/browse/BIT-1352
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Johanna Amann
 Fix For: 2.5


 Currently, the validate-certs script in policy does not deal well with 
 certain certificate chains, where the trust-anchor is being sent by the 
 server. We should be able to fix this by removing the trust-anchor 
 automatically from the chain; solving this might potentially change the way 
 root-certs are currently being loaded into Bro.
 Example server: access.redhat.com



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1349) Broctl stop output is not sorted anymore

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1349:
--
Resolution: Fixed
Status: Closed  (was: Open)

 Broctl stop output is not sorted anymore
 

 Key: BIT-1349
 URL: https://bro-tracker.atlassian.net/browse/BIT-1349
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
Priority: Trivial
 Fix For: 2.4


 Minor: the output of the worker nodes when doing broctl stop is not sorted 
 anymore. We should either sort it (or just skip outputting it altogether) - 
 at the moment it is not really useful; if there is no numerical order it is 
 difficult to see if a number one wants to have in there is missing or not.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20216#comment-20216
 ] 

Robin Sommer commented on BIT-1362:
---

Justin, feel like doing your first merge? :-)

 topic/dnthayer/fixes-for-2.4
 

 Key: BIT-1362
 URL: https://bro-tracker.atlassian.net/browse/BIT-1362
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Daniel Thayer
Assignee: Justin Azoff
 Fix For: 2.4


 The branch topic/dnthayer/fixes-for-2.4 contains fixes that address
 BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes
 and improvements.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1362:
-

Assignee: Justin Azoff

 topic/dnthayer/fixes-for-2.4
 

 Key: BIT-1362
 URL: https://bro-tracker.atlassian.net/browse/BIT-1362
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Daniel Thayer
Assignee: Justin Azoff
 Fix For: 2.4


 The branch topic/dnthayer/fixes-for-2.4 contains fixes that address
 BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes
 and improvements.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20204#comment-20204
 ] 

Robin Sommer commented on BIT-1263:
---

Yeah, I would like to have test cases before merging this. Did you test the new 
messages in some form when you developed the code?

 Implementing three event handlers for supported data structure in Modbus 
 Analyzer
 -

 Key: BIT-1263
 URL: https://bro-tracker.atlassian.net/browse/BIT-1263
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Reporter: hui
Priority: Low
  Labels: analyzer, modbus
 Fix For: 2.4


 Three support data structures are defined in Modbus analyzer:
 FileRecordRequest,
 FileRecordResponse,
 ReferenceWithData
 Three event handlers are declared for them. 
 The changes are already made and pushed into the branch:
 topic/hui/modbus-events2



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1344:
--





I would prefer staying with the well-known ports. I see the argument
for signature-only, but it would be inconsistent with how the other
analyzers works, making it hard to explain to people what's going on.
And I don't expect much of a problem in terms of efficienicy for SSH.



 New SSH Analyzer
 

 Key: BIT-1344
 URL: https://bro-tracker.atlassian.net/browse/BIT-1344
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: 2.4
Reporter: Vlad Grigorescu
Assignee: Vlad Grigorescu

 The SSH analyzer was rewritten from scratch in topic/vladg/ssh.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer

[Robin Sommer]

On Tue, Mar 24, 2015 at 16:52 -0500, you wrote:

 This is something I've actually been moving away from. If I have a
 high level of confidence in the DPD signature, I'd rather rely on
 that, since I believe it will be more efficient than to try to attach
 the analyzer to all traffic on that port, and wait for a violation.
 This was based off some informal discussions with Seth, but I'm happy
 to throw it out to bro-dev and see what others think.

I would prefer staying with the well-known ports. I see the argument
for signature-only, but it would be inconsistent with how the other
analyzers works, making it hard to explain to people what's going on.
And I don't expect much of a problem in terms of efficienicy for SSH.

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20107#comment-20107
 ] 

Robin Sommer commented on BIT-1313:
---

Adapted and merged in 1dbc5ed523700c5c

 Add help and all options to -B 
 ---

 Key: BIT-1313
 URL: https://bro-tracker.atlassian.net/browse/BIT-1313
 Project: Bro Issue Tracker
  Issue Type: Patch
  Components: Bro
Reporter: jdonnelly
Assignee: Robin Sommer
 Fix For: 2.4

 Attachments: log.diff


 Expand -B to include all,help, and list all the various debug trace points :
 #/usr/local/bro/bin/bro -B poo
 fatal error: unknown debug stream poo, try -B help.
 # /usr/local/bro/bin/bro -B help  
 Options may be separated by ,
 all
 help
 serial
 rules
 comm
 state
 chunkedio
 compressor
 string
 notifiers
 main-loop
 dpd
 tm
 logging
 input
 threading
 file_analysis
 plugins
 broxygen
 pktio



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1324:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 default_path_func does weird things to underscores
 --

 Key: BIT-1324
 URL: https://bro-tracker.atlassian.net/browse/BIT-1324
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: Justin Azoff
Assignee: Robin Sommer
Priority: Low
  Labels: logging
 Fix For: 2.4


 The following script creates a 
 {noformat}
 foo__b_ar.log
 {noformat}
  
 instead of the expected {noformat}foo_bar{noformat}
 {code}
 module FOO_BAR;
 export {
 redef enum Log::ID += { LOG };
 type Info: record {
   ts: time log;
   msg: string log;
 };
 }
 event bro_init() {
 Log::create_stream(LOG, [$columns=Info]);
 local l = [$ts = network_time(), $msg=hello];
 Log::write(LOG, l);
 print Logged;
 }
 {code}
 The problem is in script land in default_path_func
 {code}
 local module_parts = split_string_n(FOO_BAR, /[^A-Z][A-Z][a-z]*/, T, 4);
 print module_parts;
 {code}
 outputs 
 {code}
 [FOO, _B, AR]
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/dtls

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1347:
-

Assignee: Robin Sommer

 Please merge topic/johanna/dtls
 ---

 Key: BIT-1347
 URL: https://bro-tracker.atlassian.net/browse/BIT-1347
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Robin Sommer
  Labels: dtls, ssl
 Fix For: 2.4


 Please merge topic/johanna/dtls
 First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is 
 mostly handled just like SSL. It emits the same events and thus works 
 seamlessly with the current SSL scripts in the Bro core.
 Furthermore, it implements TLS record layer defragmentation for the TLS 
 Handshake protocol enabling us e.g. to deal with connections containing large 
 certificates.
 The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS 
 analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer 
 use a large amount of same code by including common pac-files.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-342:
-
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

.

 Add payload to ICMP analyzer
 

 Key: BIT-342
 URL: https://bro-tracker.atlassian.net/browse/BIT-342
 Project: Bro Issue Tracker
  Issue Type: Patch
  Components: Bro
Affects Versions: 1.5.2
Reporter: Seth Hall
Assignee: Robin Sommer
 Fix For: 2.4

 Attachments: ICMP-add-payload.diff


 This is a patch from Julien Sentier on the mailing list that makes ICMP 
 payloads available at the scripting layer.  Is there a reason this isn't 
 already available?  I would have committed it to fastpath except I don't know 
 if it's not already doing this due to the potential overhead of creating a 
 lot of strings in ICMP floods.  At the very least, I suppose it could be 
 optional (which the patch doesn't currently do).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-788:
-
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 Good analysis of unidirectional DNS flows
 -

 Key: BIT-788
 URL: https://bro-tracker.atlassian.net/browse/BIT-788
 Project: Bro Issue Tracker
  Issue Type: Patch
  Components: Bro
Affects Versions: git/master
Reporter: juliensentier
Assignee: Robin Sommer
 Fix For: 2.4

 Attachments: 
 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch


 Some use port udp 53 as a source port for dns requests.
 And sometimes, we can miss the DNS request.
 In this case, we can rely on the DNS field QR to identify the direction of 
 the flow.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1199:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 Better error messages for input file errors in READER_ASCII
 ---

 Key: BIT-1199
 URL: https://bro-tracker.atlassian.net/browse/BIT-1199
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: Vlad Grigorescu
Assignee: Robin Sommer
 Fix For: 2.4

 Attachments: test.intel


 This came up on the mailing list a few weeks ago. If one tries to load the 
 attached file as Intelligence, Bro will error out, with:
 {code}
 internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var 
 size: 0
 {code}
 The attached file contains an extra tab after downloader.com.
 It'd be nice if Bro would tell you that this was an issue with the input 
 reader, which file it occurred in, and a line number.
 I think generally speaking, if there's an issue with an input file, it'd be 
 nice to know the line number.
 (Also, there's a typo in mappimg in the error message that's currently 
 displayed).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/dtls

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1347:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 Please merge topic/johanna/dtls
 ---

 Key: BIT-1347
 URL: https://bro-tracker.atlassian.net/browse/BIT-1347
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Robin Sommer
  Labels: dtls, ssl
 Fix For: 2.4


 Please merge topic/johanna/dtls
 First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is 
 mostly handled just like SSL. It emits the same events and thus works 
 seamlessly with the current SSL scripts in the Bro core.
 Furthermore, it implements TLS record layer defragmentation for the TLS 
 Handshake protocol enabling us e.g. to deal with connections containing large 
 certificates.
 The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS 
 analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer 
 use a large amount of same code by including common pac-files.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1313:
--
Resolution: Merged
Status: Closed  (was: Open)

 Add help and all options to -B 
 ---

 Key: BIT-1313
 URL: https://bro-tracker.atlassian.net/browse/BIT-1313
 Project: Bro Issue Tracker
  Issue Type: Patch
  Components: Bro
Reporter: jdonnelly
Assignee: Robin Sommer
 Fix For: 2.4

 Attachments: log.diff


 Expand -B to include all,help, and list all the various debug trace points :
 #/usr/local/bro/bin/bro -B poo
 fatal error: unknown debug stream poo, try -B help.
 # /usr/local/bro/bin/bro -B help  
 Options may be separated by ,
 all
 help
 serial
 rules
 comm
 state
 chunkedio
 compressor
 string
 notifiers
 main-loop
 dpd
 tm
 logging
 input
 threading
 file_analysis
 plugins
 broxygen
 pktio



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1199:
-

Assignee: Robin Sommer

 Better error messages for input file errors in READER_ASCII
 ---

 Key: BIT-1199
 URL: https://bro-tracker.atlassian.net/browse/BIT-1199
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: Vlad Grigorescu
Assignee: Robin Sommer
 Fix For: 2.4

 Attachments: test.intel


 This came up on the mailing list a few weeks ago. If one tries to load the 
 attached file as Intelligence, Bro will error out, with:
 {code}
 internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var 
 size: 0
 {code}
 The attached file contains an extra tab after downloader.com.
 It'd be nice if Bro would tell you that this was an issue with the input 
 reader, which file it occurred in, and a line number.
 I think generally speaking, if there's an issue with an input file, it'd be 
 nice to know the line number.
 (Also, there's a typo in mappimg in the error message that's currently 
 displayed).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-342:


Assignee: Robin Sommer

 Add payload to ICMP analyzer
 

 Key: BIT-342
 URL: https://bro-tracker.atlassian.net/browse/BIT-342
 Project: Bro Issue Tracker
  Issue Type: Patch
  Components: Bro
Affects Versions: 1.5.2
Reporter: Seth Hall
Assignee: Robin Sommer
 Fix For: 2.4

 Attachments: ICMP-add-payload.diff


 This is a patch from Julien Sentier on the mailing list that makes ICMP 
 payloads available at the scripting layer.  Is there a reason this isn't 
 already available?  I would have committed it to fastpath except I don't know 
 if it's not already doing this due to the potential overhead of creating a 
 lot of strings in ICMP floods.  At the very least, I suppose it could be 
 optional (which the patch doesn't currently do).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1324:
-

Assignee: Robin Sommer

 default_path_func does weird things to underscores
 --

 Key: BIT-1324
 URL: https://bro-tracker.atlassian.net/browse/BIT-1324
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: Justin Azoff
Assignee: Robin Sommer
Priority: Low
  Labels: logging
 Fix For: 2.4


 The following script creates a 
 {noformat}
 foo__b_ar.log
 {noformat}
  
 instead of the expected {noformat}foo_bar{noformat}
 {code}
 module FOO_BAR;
 export {
 redef enum Log::ID += { LOG };
 type Info: record {
   ts: time log;
   msg: string log;
 };
 }
 event bro_init() {
 Log::create_stream(LOG, [$columns=Info]);
 local l = [$ts = network_time(), $msg=hello];
 Log::write(LOG, l);
 print Logged;
 }
 {code}
 The problem is in script land in default_path_func
 {code}
 local module_parts = split_string_n(FOO_BAR, /[^A-Z][A-Z][a-z]*/, T, 4);
 print module_parts;
 {code}
 outputs 
 {code}
 [FOO, _B, AR]
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-788:


Assignee: Robin Sommer

 Good analysis of unidirectional DNS flows
 -

 Key: BIT-788
 URL: https://bro-tracker.atlassian.net/browse/BIT-788
 Project: Bro Issue Tracker
  Issue Type: Patch
  Components: Bro
Affects Versions: git/master
Reporter: juliensentier
Assignee: Robin Sommer
 Fix For: 2.4

 Attachments: 
 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch


 Some use port udp 53 as a source port for dns requests.
 And sometimes, we can miss the DNS request.
 In this case, we can rely on the DNS field QR to identify the direction of 
 the flow.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1199:
-

Assignee: Johanna Amann  (was: Robin Sommer)

 Better error messages for input file errors in READER_ASCII
 ---

 Key: BIT-1199
 URL: https://bro-tracker.atlassian.net/browse/BIT-1199
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: grigorescu
Assignee: Johanna Amann
 Fix For: 2.4

 Attachments: test.intel


 This came up on the mailing list a few weeks ago. If one tries to load the 
 attached file as Intelligence, Bro will error out, with:
 {code}
 internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var 
 size: 0
 {code}
 The attached file contains an extra tab after downloader.com.
 It'd be nice if Bro would tell you that this was an issue with the input 
 reader, which file it occurred in, and a line number.
 I think generally speaking, if there's an issue with an input file, it'd be 
 nice to know the line number.
 (Also, there's a typo in mappimg in the error message that's currently 
 displayed).



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1341) topic/dnthayer/fixes-for-2.4beta

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1341:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 topic/dnthayer/fixes-for-2.4beta
 

 Key: BIT-1341
 URL: https://bro-tracker.atlassian.net/browse/BIT-1341
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Daniel Thayer
Assignee: Robin Sommer
 Fix For: 2.4


 Branch topic/dnthayer/fixes-for-2.4beta in the broctl repo addresses the 
 following issues:
 -Improved test setup scripts to specify correct bro install prefix.
 -Fix bug where ./configure --conf-files-dir did not work
 -Fix bug where ./configure --scriptdir did not work
 -Print error messages without showing Python stack trace
 -Improved processing of node input args, to remove duplicates and sort
 -Improved sorting of the output by node type and name
 -Added the deploy command
 -Update docs for the deploy command



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1332:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 Please merge topic/johanna/cert-validation
 --

 Key: BIT-1332
 URL: https://bro-tracker.atlassian.net/browse/BIT-1332
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Robin Sommer
 Fix For: 2.4


 Please merge topic/johanna/cert-validation. This is an update to the script 
 used to validate certificates in SSL/TLS connections. Description from main 
 commit:
 {quote}
 Update certificate validation script - new version will cache valid
 intermediate chains that it encounters on the wire and use those to try
 to validate chains that might be missing intermediate certificates.
 This vastly improves the number of certificates that Bro can validate.
 The only drawback is that now validation behavior is not entirely
 predictable anymore - the certificate of a server can fail to validate
 when Bro just started up (due to the intermediate missing), and succeed
 later, when the intermediate can be found in the cache.
 Has been tested on big-ish clusters and should not introduce any
 performance problems.
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1305) Consider marking some attributes as deprecated

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1305:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 Consider marking some attributes as deprecated
 --

 Key: BIT-1305
 URL: https://bro-tracker.atlassian.net/browse/BIT-1305
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: Jon Siwek
Assignee: Robin Sommer
 Fix For: 2.4


 Likely candidates for deprecation:
 rotate_interval
 rotate_size
 encrypt
 mergeable
 synchronize
 persistent
 group
 While the mechanism I added in BIT-757 can't be used to mark attributes as 
 deprecated, I'm thinking it's not difficult to just hard code the scanner to 
 emit a warning when encountering certain attributes.



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1342) Occasional test failures

[Robin Sommer (JIRA)]

Robin Sommer created BIT-1342:
-

 Summary: Occasional test failures
 Key: BIT-1342
 URL: https://bro-tracker.atlassian.net/browse/BIT-1342
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Robin Sommer
 Fix For: 2.4


Two tests in current master fail for me occasionally (usually when I run the 
full broctl test-suite but not when I rerun just these failing tests). Diag 
output below.

{code}
command.start-stop-standalone ... failed
  % 'btest-diff stop.out' failed unexpectedly (exit code 1)
  % cat .diag
  == File ===
  stopping bro ...
  Exception in thread Thread-1 (most likely raised during interpreter shutdown):
  Traceback (most recent call last):
  File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner
  File 
/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
 line
  File 
/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
 line
  File /usr/lib64/python2.7/Queue.py, line 177, in get
  File /usr/lib64/python2.7/threading.py, line 354, in wait
  type 'exceptions.TypeError': 'NoneType' object is not callable
  == Diff ===
  --- 
/home/robin/bro/master/aux/broctl/testing/Baseline/command.start-stop-standalone/stop.out
 2013-06-01 00:29:07.
  +++ stop.out  2015-03-17 22:50:01.857838625 +
  @@ -1 +1,9 @@
  stopping bro ...
  +Exception in thread Thread-1 (most likely raised during interpreter 
shutdown):
  +Traceback (most recent call last):
  +  File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner
  +  File 
/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
 l
  +  File 
/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
 l
  +  File /usr/lib64/python2.7/Queue.py, line 177, in get
  +  File /usr/lib64/python2.7/threading.py, line 354, in wait
  +type 'exceptions.TypeError': 'NoneType' object is not callable
  ===
[...]
command.start-cluster-slowstart ... failed
  % 'btest-diff status2.out' failed unexpectedly (exit code 1)
  % cat .diag
  == File ===
  Getting process status ...
  Getting peer status ...
  Name TypeHost StatusPidPeers  Started
  manager  manager localhoststopped
  proxy-1  proxy   localhoststopped
  worker-1 worker  localhoststopped
  worker-2 worker  localhoststopped
  == Diff ===
  --- 
/home/robin/bro/master/aux/broctl/testing/Baseline/command.start-cluster-slowstart/status2.out
2015-03-04 20:16
  +++ status2.out   2015-03-17 22:50:26.578618684 +
  @@ -3,5 +3,5 @@
  Name TypeHost StatusPidPeers  Started
  manager  manager localhoststopped
  proxy-1  proxy   localhoststopped
  -worker-1 worker  localhostcrashed
  +worker-1 worker  localhoststopped
  worker-2 worker  localhoststopped
  ===
{code}




--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1199:
--
Status: Open  (was: Merge Request)

 Better error messages for input file errors in READER_ASCII
 ---

 Key: BIT-1199
 URL: https://bro-tracker.atlassian.net/browse/BIT-1199
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: grigorescu
Assignee: Johanna Amann
 Fix For: 2.4

 Attachments: test.intel


 This came up on the mailing list a few weeks ago. If one tries to load the 
 attached file as Intelligence, Bro will error out, with:
 {code}
 internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var 
 size: 0
 {code}
 The attached file contains an extra tab after downloader.com.
 It'd be nice if Bro would tell you that this was an issue with the input 
 reader, which file it occurred in, and a line number.
 I think generally speaking, if there's an issue with an input file, it'd be 
 nice to know the line number.
 (Also, there's a typo in mappimg in the error message that's currently 
 displayed).



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1330) topic/python3-compat

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1330?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1330:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 topic/python3-compat
 

 Key: BIT-1330
 URL: https://bro-tracker.atlassian.net/browse/BIT-1330
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: pysubnettree
Reporter: Jon Siwek
Assignee: Robin Sommer
 Fix For: 2.4


 Updates to pysubnettree for Python 3 compatibility: have to now consider that 
 bytes are a distinct type from strings and allow the API to accept either.



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1305) Consider marking some attributes as deprecated

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=19988#comment-19988
 ] 

Robin Sommer commented on BIT-1305:
---

I'll remove mergeable from the list, as that goes with synchronized.

 Consider marking some attributes as deprecated
 --

 Key: BIT-1305
 URL: https://bro-tracker.atlassian.net/browse/BIT-1305
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: Jon Siwek
Assignee: Robin Sommer
 Fix For: 2.4


 Likely candidates for deprecation:
 rotate_interval
 rotate_size
 encrypt
 mergeable
 synchronize
 persistent
 group
 While the mechanism I added in BIT-757 can't be used to mark attributes as 
 deprecated, I'm thinking it's not difficult to just hard code the scanner to 
 emit a warning when encountering certain attributes.



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1341) topic/dnthayer/fixes-for-2.4beta

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1341:
-

Assignee: Robin Sommer

 topic/dnthayer/fixes-for-2.4beta
 

 Key: BIT-1341
 URL: https://bro-tracker.atlassian.net/browse/BIT-1341
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Daniel Thayer
Assignee: Robin Sommer
 Fix For: 2.4


 Branch topic/dnthayer/fixes-for-2.4beta in the broctl repo addresses the 
 following issues:
 -Improved test setup scripts to specify correct bro install prefix.
 -Fix bug where ./configure --conf-files-dir did not work
 -Fix bug where ./configure --scriptdir did not work
 -Print error messages without showing Python stack trace
 -Improved processing of node input args, to remove duplicates and sort
 -Improved sorting of the output by node type and name
 -Added the deploy command
 -Update docs for the deploy command



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1332:
-

Assignee: Robin Sommer

 Please merge topic/johanna/cert-validation
 --

 Key: BIT-1332
 URL: https://bro-tracker.atlassian.net/browse/BIT-1332
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Robin Sommer
 Fix For: 2.4


 Please merge topic/johanna/cert-validation. This is an update to the script 
 used to validate certificates in SSL/TLS connections. Description from main 
 commit:
 {quote}
 Update certificate validation script - new version will cache valid
 intermediate chains that it encounters on the wire and use those to try
 to validate chains that might be missing intermediate certificates.
 This vastly improves the number of certificates that Bro can validate.
 The only drawback is that now validation behavior is not entirely
 predictable anymore - the certificate of a server can fail to validate
 when Bro just started up (due to the intermediate missing), and succeed
 later, when the intermediate can be found in the cache.
 Has been tested on big-ish clusters and should not introduce any
 performance problems.
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1077) fix policy/protocols/http/header-names.bro

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1077?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1077:
-

Assignee: Robin Sommer

 fix policy/protocols/http/header-names.bro
 --

 Key: BIT-1077
 URL: https://bro-tracker.atlassian.net/browse/BIT-1077
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Jon Siwek
Assignee: Robin Sommer
 Fix For: 2.4


 This script is wrong for the {{log_server_header_names}} case.



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1304) trace-summary should be updated to support newer versions of Python

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1304:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 trace-summary should be updated to support newer versions of Python
 ---

 Key: BIT-1304
 URL: https://bro-tracker.atlassian.net/browse/BIT-1304
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: trace-summary
Reporter: Daniel Thayer
 Fix For: 2.4


 Some of the code in trace-summary is not valid syntax on 
 Python version = 3.  It should be updated to work on
 any Python version = 2.6.



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1319:
--




Yeah, I'm still mulling over that. Let's chat a bit about that next
week, it's certainly not a must-have right now.


Just go ahead and merge, I'll try the tests later. THanks for the
renaming. Great to see we have Python bindings!



 topic/jsiwek/broker
 ---

 Key: BIT-1319
 URL: https://bro-tracker.atlassian.net/browse/BIT-1319
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Reporter: Jon Siwek
Assignee: Robin Sommer
 Fix For: 2.4


 The topic/jsiwek/broker branch is in the bro and cmake repos to add the 
 initial support for Broker.
 Notes/Disclaimers/Caveats:
 - Bro has a --enable-broker configure flag.
 - requires actor-framework develop branch.  When version 0.13 is out, I 
 will put that as a requirement in the README and have CMake check for that.
 - no C bindings yet
 - no Python bindings yet
 - other than checking compilation that the new unit tests pass on 
 Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, 
 optimization etc.



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker

[Robin Sommer]

 Didn't do anything about adding synchronous data store query API,
 maybe that's an improvement we can think about for later?

Yeah, I'm still mulling over that. Let's chat a bit about that next
week, it's certainly not a must-have right now.

 So not much here is probably that critical to review; let me know if
 you just want me to merge it (but I'd still like if you could let me
 know about the unit tests that failed before).

Just go ahead and merge, I'll try the tests later. THanks for the
renaming. Great to see we have Python bindings!

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=19911#comment-19911
 ] 

Robin Sommer commented on BIT-1320:
---

Merging. This is such a large change set across the whole code base that I 
can't really review it. But I trust you guys. :-)

 topic/jazoff/broctld
 

 Key: BIT-1320
 URL: https://bro-tracker.atlassian.net/browse/BIT-1320
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Daniel Thayer
Assignee: Robin Sommer
 Fix For: 2.4


 Branch topic/jazoff/broctld in the broctl repo contains significant code 
 reorganization
 for the upcoming broctld.  Here is a high-level list of changes:
 1) Refactor broctl to make it usable as a library (reduce global state, 
 module-level setup code, and functions return results instead of printing),
 2) Integrate ssh_runner code into broctl to fix current problems (use only 
 one connection per host instead of one per Bro node, broctl shouldn't hang 
 when a host goes down or if we forgot to run broctl install),
 3) Write state info using SQLite state storage instead of writing to a plain 
 text file (broctl.dat),
 4)  When the node config changes, we now do additional checks if there are 
 any Bro nodes running that are no longer in our node config and warn user if 
 any are detected,
 5) Keep track of the expected state (running or stopped) of each Bro node, 
 and have broctl cron start or stop nodes as needed,
 6) Improved broctl cron by adding two new options (MailHostUpDown and 
 StatsLogEnable) to enable users the option to turn off unwanted functionality 
 to speed up broctl cron and reduce the chance of errors,
 7) When broctl cron tries to send email but fails, now it will output a 
 message that includes the text it was trying to mail, 
 8) Silence warning messages (that are intended for interactive use of broctl) 
 when broctl cron runs to reduce unwanted emails from cron,
 9) Added new broctl option StatusCmdShowAll to enable users to speed up 
 broctl status significantly,
 10) Fixed the stats-to-csv script to not create files that can never include 
 any data,
 11) Fixed archive-log script to detect exit status of gzip or cp command, so 
 that we don't delete log file when the archival fails,
 12) Improved post-terminate script to process log files more consistently,
 13) Made all broctl command output go to stdout (previously, some output 
 would go to stderr, which made grepping or redirecting the output more 
 difficult),
 14) Improved the default broctl.cfg file to show more of the useful options,
 15) Added more error checks to help catch errors earlier,
 16) Some error message output is more specific and helpful now
  



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1320:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 topic/jazoff/broctld
 

 Key: BIT-1320
 URL: https://bro-tracker.atlassian.net/browse/BIT-1320
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Daniel Thayer
Assignee: Robin Sommer
 Fix For: 2.4


 Branch topic/jazoff/broctld in the broctl repo contains significant code 
 reorganization
 for the upcoming broctld.  Here is a high-level list of changes:
 1) Refactor broctl to make it usable as a library (reduce global state, 
 module-level setup code, and functions return results instead of printing),
 2) Integrate ssh_runner code into broctl to fix current problems (use only 
 one connection per host instead of one per Bro node, broctl shouldn't hang 
 when a host goes down or if we forgot to run broctl install),
 3) Write state info using SQLite state storage instead of writing to a plain 
 text file (broctl.dat),
 4)  When the node config changes, we now do additional checks if there are 
 any Bro nodes running that are no longer in our node config and warn user if 
 any are detected,
 5) Keep track of the expected state (running or stopped) of each Bro node, 
 and have broctl cron start or stop nodes as needed,
 6) Improved broctl cron by adding two new options (MailHostUpDown and 
 StatsLogEnable) to enable users the option to turn off unwanted functionality 
 to speed up broctl cron and reduce the chance of errors,
 7) When broctl cron tries to send email but fails, now it will output a 
 message that includes the text it was trying to mail, 
 8) Silence warning messages (that are intended for interactive use of broctl) 
 when broctl cron runs to reduce unwanted emails from cron,
 9) Added new broctl option StatusCmdShowAll to enable users to speed up 
 broctl status significantly,
 10) Fixed the stats-to-csv script to not create files that can never include 
 any data,
 11) Fixed archive-log script to detect exit status of gzip or cp command, so 
 that we don't delete log file when the archival fails,
 12) Improved post-terminate script to process log files more consistently,
 13) Made all broctl command output go to stdout (previously, some output 
 would go to stderr, which made grepping or redirecting the output more 
 difficult),
 14) Improved the default broctl.cfg file to show more of the useful options,
 15) Added more error checks to help catch errors earlier,
 16) Some error message output is more specific and helpful now
  



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1270) topic/gilbert/plugin-api-tweak

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1270?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1270:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 topic/gilbert/plugin-api-tweak
 --

 Key: BIT-1270
 URL: https://bro-tracker.atlassian.net/browse/BIT-1270
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Reporter: gclark
Assignee: gclark

 This branch makes a few changes to the API:
 * Wraps values in a simple class (ValWrapper) that include an explicit 
 processed / not processed flag (to avoid confusion with delayed / opaque 
 invocations).
 * Adds a Frame argument to HookCallFunction
 * Adds support for Frame argument types to HookArgument
 * Adds support for ValWrapper argument types to HookArgument
 * Tweaks the plugin.hooks tests a bit to include new output (from additional 
 argument)
 * Tweaks the plugin.api-version-mismatch to remove explicit home directory 
 path via simple regex



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1322) btest should warn when using -T option but cannot create timing baseline

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1322:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

 btest should warn when using -T option but cannot create timing baseline
 

 Key: BIT-1322
 URL: https://bro-tracker.atlassian.net/browse/BIT-1322
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BTest
Reporter: Daniel Thayer
 Fix For: 2.4


 When using btest -T on a system that cannot perform timing measurements 
 there
 is no warning message to notify the user that the requested operation (create 
 a timing
 baseline) cannot be performed.  This is especially confusing on a Linux 
 machine
 that has the perf command installed, but not other required components.



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1320:
-

Assignee: Robin Sommer

 topic/jazoff/broctld
 

 Key: BIT-1320
 URL: https://bro-tracker.atlassian.net/browse/BIT-1320
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Daniel Thayer
Assignee: Robin Sommer
 Fix For: 2.4


 Branch topic/jazoff/broctld in the broctl repo contains significant code 
 reorganization
 for the upcoming broctld.  Here is a high-level list of changes:
 1) Refactor broctl to make it usable as a library (reduce global state, 
 module-level setup code, and functions return results instead of printing),
 2) Integrate ssh_runner code into broctl to fix current problems (use only 
 one connection per host instead of one per Bro node, broctl shouldn't hang 
 when a host goes down or if we forgot to run broctl install),
 3) Write state info using SQLite state storage instead of writing to a plain 
 text file (broctl.dat),
 4)  When the node config changes, we now do additional checks if there are 
 any Bro nodes running that are no longer in our node config and warn user if 
 any are detected,
 5) Keep track of the expected state (running or stopped) of each Bro node, 
 and have broctl cron start or stop nodes as needed,
 6) Improved broctl cron by adding two new options (MailHostUpDown and 
 StatsLogEnable) to enable users the option to turn off unwanted functionality 
 to speed up broctl cron and reduce the chance of errors,
 7) When broctl cron tries to send email but fails, now it will output a 
 message that includes the text it was trying to mail, 
 8) Silence warning messages (that are intended for interactive use of broctl) 
 when broctl cron runs to reduce unwanted emails from cron,
 9) Added new broctl option StatusCmdShowAll to enable users to speed up 
 broctl status significantly,
 10) Fixed the stats-to-csv script to not create files that can never include 
 any data,
 11) Fixed archive-log script to detect exit status of gzip or cp command, so 
 that we don't delete log file when the archival fails,
 12) Improved post-terminate script to process log files more consistently,
 13) Made all broctl command output go to stdout (previously, some output 
 would go to stderr, which made grepping or redirecting the output more 
 difficult),
 14) Improved the default broctl.cfg file to show more of the useful options,
 15) Added more error checks to help catch errors earlier,
 16) Some error message output is more specific and helpful now
  



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake)

[Robin Sommer]

On Fri, Feb 20, 2015 at 15:08 -0800, you wrote:

 newer libpcap version - now the build fails because of
 pcap_offline_filter:

Oh, I thought that's a function which had been around for a while.
That's not easy to get rid of, it provides BPF filtering for packet
source plugins that can't do that natively (like netmap). Do you
happen to know if there's another way to do that with older pcaps?

Robin

-- 
Robin Sommer * ICSI/LBNL * ro...@icir.org * www.icir.org/robin
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1318) topic/robin/plugin-updates

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1318:
--
Status: Merge Request  (was: Open)

 topic/robin/plugin-updates
 --

 Key: BIT-1318
 URL: https://bro-tracker.atlassian.net/browse/BIT-1318
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Robin Sommer

 A set of improvements to Bro's support for dynamic plugins.
 Branch topic/robin/plugin-updates in bro, bro-aux, cmake, and bro-plugins.
 This includes primarily updates to the init-plugin helper script:
 - the script now sets up the skeleton plugin so that the *build/* 
 directory becomes the place where the final plugin lives (rather than the 
 top-level source directory). BRO_PLUGIN_PATH needs to point there now. make 
 distclean simply deletes the build directory.
 - the skeleton builds a binary plugin distribution in build/dist, and 
 make install uses that to put the plugin in place. The Makefile targets 
 bdist and sdist are gone.
 - CMakeList.txt supports a new macro bro_plugin_dist_files to specify 
 additional files to include into the binary plugin distribution.
 - init-plugin now takes an additional parameter with a directory where to 
 create the plugin.
- the configure script now sources a local configure.plugin for adding 
 custom options without touch the main script.
   - Makefile reloads cached CMake variables when Bro has been reconfigured. 
 Addresses #1302. 
  
 The changes further include:
 - Bro's make install now always creates the plugin installation directory.
 - Removed setting BRO_PLUGIN_PATH from bro-path-dev.sh. Addresses #1312.
 - Adapting plugin documentation to the changes.
 - Adapting the three plugins aux/plugins to changes.
 - Bro's make install removes some old scripts that have moved into plugins, 
 but might still exist from a previous installation.
 - Plugin managers treats plugin names as case-insenstive for some internal 
 lookups to be a bit more tolerant in cases that could be hard to catch 
 otherwise.
   



--
This message was sent by Atlassian JIRA
(v6.4-OD-14-082#64012)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1318) topic/robin/plugin-updates

[Robin Sommer (JIRA)]

Robin Sommer created BIT-1318:
-

 Summary: topic/robin/plugin-updates
 Key: BIT-1318
 URL: https://bro-tracker.atlassian.net/browse/BIT-1318
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Robin Sommer


A set of improvements to Bro's support for dynamic plugins.

Branch topic/robin/plugin-updates in bro, bro-aux, cmake, and bro-plugins.

This includes primarily updates to the init-plugin helper script:

- the script now sets up the skeleton plugin so that the *build/* directory 
becomes the place where the final plugin lives (rather than the top-level 
source directory). BRO_PLUGIN_PATH needs to point there now. make distclean 
simply deletes the build directory.

- the skeleton builds a binary plugin distribution in build/dist, and make 
install uses that to put the plugin in place. The Makefile targets bdist and 
sdist are gone.

- CMakeList.txt supports a new macro bro_plugin_dist_files to specify 
additional files to include into the binary plugin distribution.

- init-plugin now takes an additional parameter with a directory where to 
create the plugin.

   - the configure script now sources a local configure.plugin for adding 
custom options without touch the main script.

  - Makefile reloads cached CMake variables when Bro has been reconfigured. 
Addresses #1302. 
 
The changes further include:

- Bro's make install now always creates the plugin installation directory.

- Removed setting BRO_PLUGIN_PATH from bro-path-dev.sh. Addresses #1312.

- Adapting plugin documentation to the changes.

- Adapting the three plugins aux/plugins to changes.

- Bro's make install removes some old scripts that have moved into plugins, 
but might still exist from a previous installation.

- Plugin managers treats plugin names as case-insenstive for some internal 
lookups to be a bit more tolerant in cases that could be hard to catch 
otherwise.

  



--
This message was sent by Atlassian JIRA
(v6.4-OD-14-082#64012)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake)

[Robin Sommer]

On Wed, Feb 18, 2015 at 23:10 +, you wrote:

 I’m not that familiar either, but think it may be fine to provide our
 own preprocessor definition if it doesn’t exist.

I'll remove the dependency on the macro, it's used mainly as
placeholder value, and we can use our own for that.

Robin

-- 
Robin Sommer * ICSI/LBNL * ro...@icir.org * www.icir.org/robin
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while'

[Robin Sommer]

For the record: I'm for it, too. :)

Will merge.

On Sun, Feb 15, 2015 at 22:14 -0600, you wrote:

 
  [ 
 https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
  ]
 
 Seth Hall updated BIT-1315:
 ---
 
 
 Let’s go ahead and merge it then. :)
 
 
  Teach Bro how to 'while'
  
 
  Key: BIT-1315
  URL: https://bro-tracker.atlassian.net/browse/BIT-1315
  Project: Bro Issue Tracker
   Issue Type: New Feature
   Components: Bro
 Reporter: Jon Siwek
 Priority: Low
  Fix For: 2.4
 
 
  topic/jsiwek/while has an implementation of a general purpose 'while' loop. 
   If one wants to hack around the current limitation of only looping over 
  collections, they're going to do it (e.g. recursion), so why not just 
  provide a more convenient way instead?  The mess you have to write to work 
  around the limitation may be more error-prone than just providing a simple 
  while loop.
  An alternative to adding 'while' to the language might be to allow for () 
  to be an unbounded loop and force the author to put the necessary 
  break/return conditions in the body.
 
 
 
 --
 This message was sent by Atlassian JIRA
 (v6.4-OD-14-082#64012)
 
 ___
 bro-dev mailing list
 bro-dev@bro.org
 http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
 


___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while'

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1315:
--

For the record: I'm for it, too. :)

Will merge.






 Teach Bro how to 'while'
 

 Key: BIT-1315
 URL: https://bro-tracker.atlassian.net/browse/BIT-1315
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Reporter: Jon Siwek
Priority: Low
 Fix For: 2.4


 topic/jsiwek/while has an implementation of a general purpose 'while' loop.  
 If one wants to hack around the current limitation of only looping over 
 collections, they're going to do it (e.g. recursion), so why not just provide 
 a more convenient way instead?  The mess you have to write to work around the 
 limitation may be more error-prone than just providing a simple while loop.
 An alternative to adding 'while' to the language might be to allow for () 
 to be an unbounded loop and force the author to put the necessary 
 break/return conditions in the body.



--
This message was sent by Atlassian JIRA
(v6.4-OD-14-082#64012)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while'

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1315:
-

Assignee: Robin Sommer

 Teach Bro how to 'while'
 

 Key: BIT-1315
 URL: https://bro-tracker.atlassian.net/browse/BIT-1315
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Reporter: Jon Siwek
Assignee: Robin Sommer
Priority: Low
 Fix For: 2.4


 topic/jsiwek/while has an implementation of a general purpose 'while' loop.  
 If one wants to hack around the current limitation of only looping over 
 collections, they're going to do it (e.g. recursion), so why not just provide 
 a more convenient way instead?  The mess you have to write to work around the 
 limitation may be more error-prone than just providing a simple while loop.
 An alternative to adding 'while' to the language might be to allow for () 
 to be an unbounded loop and force the author to put the necessary 
 break/return conditions in the body.



--
This message was sent by Atlassian JIRA
(v6.4-OD-14-082#64012)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev