[Bro-Dev] [JIRA] (BIT-1046) topic/jsiwek/exec-module

2013-07-29 Thread Jon Siwek (JIRA) 

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1046?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jon Siwek updated BIT-1046:
---

Status: Merge Request  (was: Open)

 topic/jsiwek/exec-module
 

 Key: BIT-1046
 URL: https://bro-tracker.atlassian.net/browse/BIT-1046
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: 2.1
Reporter: Jon Siwek
 Fix For: 2.2


 Some scripts for executing system commands and getting the results 
 (stderr/stdout, exit code, file output) back in to Bro.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] [JIRA] (BIT-1043) LRU Table implementation

2013-07-29 Thread Siwek, Jonathan Luke 
Fix Version is what's used to put something on the roadmap. i.e. it can be 
used like milestones were w/ Trac.  (I think that's what was intended by 
Seth's Affects Version change.)

- Jon

On Jul 29, 2013, at 9:46 AM, Jon Siwek (JIRA) j...@bro-tracker.atlassian.net
 wrote:

 
 [ 
 https://bro-tracker.atlassian.net/browse/BIT-1043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
  ]
 
 Jon Siwek updated BIT-1043:
 ---
 
Fix Version/s: 2.3
 
 LRU Table implementation
 
 
Key: BIT-1043
URL: https://bro-tracker.atlassian.net/browse/BIT-1043
Project: Bro Issue Tracker
 Issue Type: Improvement
 Components: Bro
   Affects Versions: 2.1
   Reporter: Jordi Ros-Giralt
Fix For: 2.3
 
 
 Attaching below the email description i exchanged with Seth and Robin 
 describing this work.
 --
 Hi Seth and Robin,
 We got the repo up, you can get to our branch as follows:
 git clone --recursive https://github.com/giralt/bro.git
 cd bro/
 git checkout lru-table
 We would be happy to contribute this code to the Bro community.  This is 
 what it does:
 - It implements LRU tables for Bro
 - A Bro table can be enhanced with the LRU functionality with the following 
 new table attributes:
 lru_table: enhance the table with LRU functionality
 size_limit=n: if adding an element to the table makes the size of the table 
 larger than n, then drop the LRU element from that table before inserting 
 the new element.  n=0 means table size can be infinite (so don't drop 
 elements from it)
 drop_func=callback_func: defines a programmable callback function that gets 
 called automatically every time an element from the LRU table is dropped due 
 to hitting the size_limit.  The prototype of this callback must be as 
 follows:
 function callback_func(t: table[keytype] of valuetype, key: keytype, val: 
 valuetype): count
 - It adds the following bif functions:
 function get_lru%(v: any%): any
 function get_mru%(v: any%): any
 function get_lru_key%(v: any%): any
 function get_mru_key%(v: any%): any
 - Example:
 function freed(t: table[port] of string, key: port, val: string): count { 
 print Dropped; }
 local port_names: table[port] of string lru size_limit=2 drop_func=freed;
 In terms of applications, we are currently using this feature for the 
 chimera-to-bro compiler we are working on: 
 http://www.chimera-query.org/index.html
 We thought that we could also use this feature to provide a sort of memory 
 management facility for Bro.  I had a talk with Seth some weeks ago about 
 this.  Something like the LRU implementation allows programmers to put 
 bounds on the size of tables and prioritize which elements can be dropped 
 first upon memory exhaustion scenarios.  Perhaps an idea here would be to 
 develop a garbage collector (could be done using Bro language itself, 
 perhaps as a framework) which would be run upon hitting a certain memory 
 usage watermark and which would mainly run through the set of tables marked 
 as garbage collectable dropping LRU elements from them to help 
 reduce/eliminate the risk of running out of memory.
 Should this be something interesting, what are the steps we would need to do 
 to open source the LRU code into Bro?
 
 --
 This message is automatically generated by JIRA.
 If you think it was sent incorrectly, please contact your JIRA 
 administrators: 
 https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
 For more information on JIRA, see: http://www.atlassian.com/software/jira
 ___
 bro-dev mailing list
 bro-dev@bro.org
 http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
 


___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] [Bro-Commits] [git/bro] topic/jsiwek/exec-module: Exec module changes/fixes. (73eb87a)

2013-07-29 Thread Siwek, Jonathan Luke 

  Exec module changes/fixes.
 
 Do you feel comfortable with this being merged into master now?  

I'm not aware of any outstanding problems w/ it, so yes.  I made a merge 
request ticket.

- Jon
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1046) topic/jsiwek/exec-module

2013-07-29 Thread Jon Siwek (JIRA) 
Jon Siwek created BIT-1046:
--

 Summary: topic/jsiwek/exec-module
 Key: BIT-1046
 URL: https://bro-tracker.atlassian.net/browse/BIT-1046
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: 2.1
Reporter: Jon Siwek
 Fix For: 2.2


Some scripts for executing system commands and getting the results 
(stderr/stdout, exit code, file output) back in to Bro.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] [Bro-Commits] [git/bro] topic/jsiwek/exec-module: Exec module changes/fixes. (73eb87a)

2013-07-29 Thread Seth Hall 

On Jul 29, 2013, at 10:56 AM, Siwek, Jonathan Luke jsi...@illinois.edu 
wrote:

 
 Exec module changes/fixes.
 
 Do you feel comfortable with this being merged into master now?  
 
 I'm not aware of any outstanding problems w/ it, so yes.  I made a merge 
 request ticket.


Cool, thanks.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/


___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1045) Review usage of InternalError when parsing network traffic

2013-07-29 Thread Robin Sommer (JIRA) 

[ 
https://bro-tracker.atlassian.net/browse/BIT-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13400#comment-13400
 ] 

Robin Sommer commented on BIT-1045:
---





Ack, InternalError() is not something that external input should be
able to trigger. I already removed a number of these over time, but
never looked systematically for them.


Agreed, though sometimes they aren't about the traffic but about a
logic error in decoding it; it would be good to still differentiate
those cases from a broken packet, however indeed without aborting.



 Review usage of InternalError when parsing network traffic
 --

 Key: BIT-1045
 URL: https://bro-tracker.atlassian.net/browse/BIT-1045
 Project: Bro Issue Tracker
  Issue Type: Task
  Components: Bro
Affects Versions: git/master, 2.1
Reporter: Vlad Grigorescu

 Creating issue for tracking purposes.
 Reporter-InternalError denotes a fatal error, and will cause Bro to stop. 
 Calling this function when parsing network traffic creates the possibility 
 for an attacker using a packet of death, which could stop Bro.
 I suspect that in most cases, a weird should be generated instead, and Bro 
 should just move on to the next packet. A quick grep shows some likely 
 candidates for incorrect use of InternalError:
 src/Sessions.cc:  reporter-InternalError(Bad IP protocol 
 version in DoNextInnerPacket);
 src/Sessions.cc:  reporter-InternalError(fragment block not in 
 dictionary);
 src/Sessions.cc:  reporter-InternalError(fragment block 
 missing);
 src/Sessions.cc:  reporter-InternalError(unknown 
 transport protocol);
 src/Frag.cc:  reporter-InternalError(bad IP version in fragment 
 reassembly);
 src/IP.cc:reporter-InternalError(IPv6_HdrChain::Init with 
 truncated IP header);
 src/IP.cc:reporter-InternalError(IPv6_Hdr_Chain bad 
 header %d, type);
 src/IP.h: reporter-InternalError(bad IP version in 
 IP_Hdr ctor);
 src/RSH.cc:   reporter-InternalError(multiple rsh client names);
 src/RSH.cc:   reporter-InternalError(multiple rsh initial client 
 names);
 src/POP3.cc:  reporter-InternalError(command not known);
 src/Rlogin.cc:reporter-InternalError(multiple rlogin client 
 names);
 src/ICMP.cc:  reporter-InternalError(unexpected IP proto in 
 ICMP analyzer: %d,
 src/ICMP.cc:  reporter-InternalError(unexpected next protocol in 
 ICMP::DeliverPacket());
 src/SMB.cc:   reporter-InternalError(command mismatch for 
 ParseTransaction);
 src/HTTP.cc:  reporter-InternalError(unrecognized HTTP message 
 event);
 src/HTTP.cc:  reporter-InternalError(HTTP ParseRequest failed);
 src/DPM.cc:   reporter-InternalError(unknown protocol);
 src/RPC.cc:   reporter-InternalError(RPC underflow);
 src/RPC.cc:   reporter-InternalError(RPC resync: skipping 
 over data failed);
 src/RPC.cc:   
 reporter-InternalError(inconsistent RPC record marker extraction);

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1045) Review usage of InternalError when parsing network traffic

2013-07-29 Thread Vern Paxson (JIRA) 

[ 
https://bro-tracker.atlassian.net/browse/BIT-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13401#comment-13401
 ] 

Vern Paxson commented on BIT-1045:
--


In line with what you frame, the history behind these is that they're meant
to reflect should-never-happen situations; not weird activity, but apparent
internal inconsistencies in Bro's processing/execution.  So they don't really
fit with the notion of weird.  (Of course it's definitely possible there's
some mission-creep and InternalError is misused when Weird really is the
right notion.)

That said, for sure I agree that we don't want to give adversaries a way
to tickle a Bro crash.  So ideally the solution here would be to come up
with something similar to the weird/notice framework, but that expicitly
captures the notion that Bro-is-confused rather than
something-happened-on-the-network.

Vern


 Review usage of InternalError when parsing network traffic
 --

 Key: BIT-1045
 URL: https://bro-tracker.atlassian.net/browse/BIT-1045
 Project: Bro Issue Tracker
  Issue Type: Task
  Components: Bro
Affects Versions: git/master, 2.1
Reporter: Vlad Grigorescu

 Creating issue for tracking purposes.
 Reporter-InternalError denotes a fatal error, and will cause Bro to stop. 
 Calling this function when parsing network traffic creates the possibility 
 for an attacker using a packet of death, which could stop Bro.
 I suspect that in most cases, a weird should be generated instead, and Bro 
 should just move on to the next packet. A quick grep shows some likely 
 candidates for incorrect use of InternalError:
 src/Sessions.cc:  reporter-InternalError(Bad IP protocol 
 version in DoNextInnerPacket);
 src/Sessions.cc:  reporter-InternalError(fragment block not in 
 dictionary);
 src/Sessions.cc:  reporter-InternalError(fragment block 
 missing);
 src/Sessions.cc:  reporter-InternalError(unknown 
 transport protocol);
 src/Frag.cc:  reporter-InternalError(bad IP version in fragment 
 reassembly);
 src/IP.cc:reporter-InternalError(IPv6_HdrChain::Init with 
 truncated IP header);
 src/IP.cc:reporter-InternalError(IPv6_Hdr_Chain bad 
 header %d, type);
 src/IP.h: reporter-InternalError(bad IP version in 
 IP_Hdr ctor);
 src/RSH.cc:   reporter-InternalError(multiple rsh client names);
 src/RSH.cc:   reporter-InternalError(multiple rsh initial client 
 names);
 src/POP3.cc:  reporter-InternalError(command not known);
 src/Rlogin.cc:reporter-InternalError(multiple rlogin client 
 names);
 src/ICMP.cc:  reporter-InternalError(unexpected IP proto in 
 ICMP analyzer: %d,
 src/ICMP.cc:  reporter-InternalError(unexpected next protocol in 
 ICMP::DeliverPacket());
 src/SMB.cc:   reporter-InternalError(command mismatch for 
 ParseTransaction);
 src/HTTP.cc:  reporter-InternalError(unrecognized HTTP message 
 event);
 src/HTTP.cc:  reporter-InternalError(HTTP ParseRequest failed);
 src/DPM.cc:   reporter-InternalError(unknown protocol);
 src/RPC.cc:   reporter-InternalError(RPC underflow);
 src/RPC.cc:   reporter-InternalError(RPC resync: skipping 
 over data failed);
 src/RPC.cc:   
 reporter-InternalError(inconsistent RPC record marker extraction);

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] viability of stand-alone (not installed) Bro

2013-07-29 Thread Slagell, Adam J 
I don't think that is intended behavior, but rather an unintended consequence 
of some of the work on the file analysis framework and shipping with our own 
magic DB. Perhaps Jon can elaborate more on what it would take to fix this?

On Jul 29, 2013, at 10:09 PM, Vern Paxson v...@icir.org wrote:

 For various reasons I sometimes like to run Bro out of the directory
 I used to build it, rather than installing it.  With a fresh git pull,
 when doing this I get:
 
% build/src/bro
internal error: can't load magic file /usr/local/bro/share/bro/magic: 
 could not find any valid magic files!
Abort
 
 Well harumph.
 
 However, the reason for this note (rather than a shiny-new-tracker ticket)
 is I'm wondering whether filing the ticket is a lost cause (i.e., the
 current philosophy is it's okay if things only work post make install) ... ?
 
Vern
 ___
 bro-dev mailing list
 bro-dev@bro.org
 http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
 

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1044) topic/seth/faf-updates ready for merge

2013-07-29 Thread Robin Sommer (JIRA) 

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1044?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1044:
--

Resolution: Merged
Status: Closed  (was: Merge Request)

 topic/seth/faf-updates ready for merge
 --

 Key: BIT-1044
 URL: https://bro-tracker.atlassian.net/browse/BIT-1044
 Project: Bro Issue Tracker
  Issue Type: Task
Reporter: Seth Hall
Assignee: Robin Sommer
 Fix For: 2.2


 Big updates to logs and functionality of the files framework.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] viability of stand-alone (not installed) Bro

2013-07-29 Thread Vern Paxson 
 Try source build/bro-path-dev.sh.

Cool, that does it.  The only problem is surely I'm going to fail to
remember that bit of voodoo, and bug you with similar questions in the
future at least three more times :-P.

Vern
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] viability of stand-alone (not installed) Bro

2013-07-29 Thread Robin Sommer 


On Mon, Jul 29, 2013 at 20:08 -0700, you wrote:

 I'm wondering whether filing the ticket is a lost cause (i.e., the
 current philosophy is it's okay if things only work post make
 install) ... ?

Quite the opposite: I'm sure most of us run it right out of the source
tree more often than not. Try source build/bro-path-dev.sh.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * ro...@icir.org
ICSI/LBNL* Fax   +1 (510) 666-2956 * www.icir.org/robin
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1046) topic/jsiwek/exec-module

2013-07-29 Thread Robin Sommer (JIRA) 

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1046?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1046:
--

Resolution: Merged
Status: Closed  (was: Merge Request)

 topic/jsiwek/exec-module
 

 Key: BIT-1046
 URL: https://bro-tracker.atlassian.net/browse/BIT-1046
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: 2.1
Reporter: Jon Siwek
 Fix For: 2.2


 Some scripts for executing system commands and getting the results 
 (stderr/stdout, exit code, file output) back in to Bro.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev