Re: [Bro-Dev] [JIRA] (BIT-1016) Option to extend uids to 128 bit

On Aug 27, 2013, at 3:50 PM, Robin Sommer (JIRA) wrote: > - We could use "C-" instead of "C" to make it more obvious that the > first character is special. But not sure if it's worth it. FWIW, I prefer C for the simple reason that if I double-click it, it selects the whole uid (including the

Re: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: Update VirusTotal URL to work with changes to their website. (0977983)

Yeah, I was thinking about that. I'll make that change in a bit. --Vlad On Nov 5, 2013, at 1:35 PM, Siwek, Jonathan Luke wrote: > Maybe it would be helpful if the URL format string is something a user can > redef? > > - Jon > > > On Nov 5, 2013, at 11:36

Re: [Bro-Dev] [JIRA] (BIT-250) Binpac wrong boundary check

Please ignore... Inadvertent mouse click. :-) On Jun 2, 2014, at 8:05 PM, grigorescu (JIRA) wrote: > > [ > https://bro-tracker.atlassian.net/browse/BIT-250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel > ] > > grigorescu updated BIT-250: > --

Re: [Bro-Dev] Looking on feedback on PACF/reaction framework

This lines up pretty well with the features that I'd want from this. I think the API is at a good level to be usable yet customizable. A few comments I had: - I believe Rule$target should be of type Target and not TargetType (which is undefined). - Some other options to consider for EntityType:

Re: [Bro-Dev] Time for C++11?

On Mon, Jun 23, 2014 at 11:43 AM, Robin Sommer wrote: > > - We decide which minimum versions of GCC and clang (and their > stdlibs) we need to require. > If the OpenSuSE build service idea moves forward, does that mean we can be stricter with the requirements? Hopefully, people should

Re: [Bro-Dev] Time for C++11?

Fair enough. For surveying the environment, you can use DistroWatch. For example, to see which distros have gcc 4.9: http://distrowatch.com/search.php?pkg=gcc&pkgver=4.9.0#pkgsearch The main stragglers seem to be RHEL and Ubuntu LTS. Ubuntu 12.04 has 4.6.3 and RHEL 6.5 has 4.4.7. I believe RHEL

Re: [Bro-Dev] Time for C++11?

Is it worth conducting a survey on the mailing list of what distros people are using? If we spin it the correct way (maybe something like "We're reevaluating what distros we test and fully support") and make it anonymous, even the corporate users might chime in. I figure that between this discussi

Re: [Bro-Dev] Time for C++11?

I got it. On Mon, Jun 23, 2014 at 8:13 PM, Robin Sommer wrote: > > > On Mon, Jun 23, 2014 at 16:27 -0400, you wrote: > > > Is it worth conducting a survey on the mailing list of what distros > people > > are using? > > Yeah, that's a good idea. Is anybody up for creating a SurveyMonkey or > Goo

Re: [Bro-Dev] Time for C++11?

ently supports? Apart from the obvious x86 and x86-64, does it support PowerPC? Is it worth asking if there's another architecture they'd like to see supported (maybe ARM)? --Vlad On Mon, Jun 23, 2014 at 8:34 PM, Vlad Grigorescu wrote: > I got it. > > > On Mon, Jun 23, 2014 at 8

Re: [Bro-Dev] Time for C++11?

On Mon, Jun 23, 2014 at 11:59 PM, Daniel Thayer wrote: > You left out Scientific Linux, Well, I have this comment under "What Linux distro do you run Bro on?": Note: Please select the "parent" distro if yours isn't listed (e.g. if you're running Scientific Linux, select RHEL) Is there any func

Re: [Bro-Dev] Time for C++11?

Good idea, thanks. Updated. On Tue, Jun 24, 2014 at 8:45 AM, Daniel Thayer wrote: > On 06/24/2014 05:49 AM, Vlad Grigorescu wrote: > >> On Mon, Jun 23, 2014 at 11:59 PM, Daniel Thayer > <mailto:dntha...@illinois.edu>> wrote: >> >> You left out Scientif

[Bro-Dev] Documenting Weirds

It seems like one area where our documentation is sorely lacking is the weirds. Apart from comments in the code, I believe the only documentation is the name of the weird itself. Is there a mechanism in Broxygen to document weirds? If not, has anyone thought about what such a mechanism might look

Re: [Bro-Dev] Documenting Weirds

I was thinking of just a simple Weird::Type enum with comments, much like how the Notice documentation is generated. I do also like the thought of the structured namespace. Maybe more generally, we should to make a Weird closer to a Notice. For example, if a file analyzer generates a weird, there

Re: [Bro-Dev] [JIRA] (BIT-1236) topic/jsiwek/flip-on-syn-ack

This ties into something I had noticed recently. Certain scanning tools like to use the same source port per destination IP (I imagine to cache portions of the TCP header). During these scans, multiple TCP connections occur. Bro saw traffic that had: - A connection that was setup and torn down as

Re: [Bro-Dev] [JIRA] (BIT-1236) topic/jsiwek/flip-on-syn-ack

this. --Vlad On Mon, Aug 25, 2014 at 5:04 PM, Siwek, Jon wrote: > > On Aug 25, 2014, at 4:40 PM, Vlad Grigorescu wrote: > > > Does it makes sense that following a connection teardown, if a SYN-ACK > is seen, a new connection begins, instead of using the existing connection

[Bro-Dev] Adding a LOCAL option to the Direction type?

The Direction type (defined in base/utils/directions-and-hosts.bro) currently has directions for: - remote orig, local resp - local orig, remote resp - bidirectional ("Only one endpoint is within the locally-monitored network, meaning the connection is either outbound or inbound.") - no_direct

[Bro-Dev] Help Troubleshooting a Perftools Memleak

The MySQL analyzer is ready to go, apart from one issue: a memleak btest that I wrote is failing on some of Bro's regex code. > # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/mysql/mysql.trace %INPUT > > @load base/protocols/mysql This results in:

Re: [Bro-Dev] Help Troubleshooting a Perftools Memleak

On Fri, Oct 31, 2014 at 8:48 PM, Robin Sommer wrote: > > I've pushed the change into master but have actually not > tried yet if it indeed fixes the reported memleak. > Thanks, Robin. I tested it and perftools is no longer reporting any leaks. --Vlad ___

Re: [Bro-Dev] HTTP/2

I don't believe anyone's done any work on this. From what I can tell, most implementations (at least IE, Firefox, and Chrome) are only supporting HTTP/2.0 over TLS. If that trend continues, the only changes to Bro might just be ensuring that the SSL analyzer would work with it. --Vlad On Fri, F

Re: [Bro-Dev] Trouble with getting Bro 2.2 private analyzer to write logs on current master

Just a guess, but it could be related to this: https://github.com/bro/bro/blob/master/CHANGES#L1578 ints changed to uint64s. As an example, you can see how the HTTP analyzer was modified here: https://github.com/bro/bro/commit/96bcc2d69d72c21f5f4eff0c88cd8d43613bee22#diff-978a30a2ac40a10fbf3c8b550

Re: [Bro-Dev] Trouble with getting Bro 2.2 private analyzer to write logs on current master

On Wed, Jun 17, 2015 at 9:45 AM, James Swaro wrote: > > Just a guess, but it could be related to this: > https://github.com/bro/bro/blob/master/CHANGES#L1578 > I'm looking, but nothing seems to pop out at me. > > > The other big change was moving to plugins, but if you're seeing it > added as a c

Re: [Bro-Dev] Trouble with getting Bro 2.2 private analyzer to write logs on current master

On Wed, Jun 17, 2015 at 10:30 AM, James Swaro wrote: > If I understand the patch correctly, it would only cause problems for > connections with over 2GB of data payload, but I think it should work fine > for a small trace of say 200KB. I'm not seeing any events at all, nor am I > seeing the log f

[Bro-Dev] Advice on the PE Analyzer

For Bro 2.5, I'd like to add some more functionality to the Windows Portable Executable analyzer. I think there's a lot of valuable data that could be extracted, but the format is rather challenging to work with. Some protocol pseudocode would be: > : import_address_table is at 0010 > 0010: en

Re: [Bro-Dev] [EXTERNAL] Re: [Bro] Logging VLAN IDs

Apologies for resurrecting an old thread. I'm wondering if anyone has given any further thought to or done any work on this. While looking at BIT-1480 (adding ERSPAN decapsulation support), I was reminded of what a mess Sessions.cc currently is. I think moving towards passing a Packet structure ar

Re: [Bro-Dev] [EXTERNAL] Re: [Bro] Logging VLAN IDs

Oooh, yes, thank you. I'm not sure how I missed that, but that looks nice. On Mon, Sep 21, 2015 at 5:50 PM, Robin Sommer wrote: > On Mon, Sep 21, 2015 at 11:20 -0500, you wrote: > > > I'm wondering if anyone has given any further thought to or done any work > > on this. > > Yep, it's in place. :

Re: [Bro-Dev] Parse LDAP messages from a pcap

Zakaria, There's no LDAP analyzer in Bro. LDAP is not a simple protocol, but if you'd like to try writing an analyzer, you might want to check out the following resources: https://www.bro.org/development/howtos/binpac-sample-analyzer.html https://www.youtube.com/watch?v=1eDIl9y6ZnM Best, --Vl

[Bro-Dev] Better Handling of User Agents in Software Framework

I'm not thrilled with those user agents are being handled right now, and I'm curious to get some thoughts. Take, for example the Safari user-agent string of: > Safari/11601.3.9 CFNetwork/760.2.6 Darwin/15.2.0 (x86_64) Right now, this gets parsed as: > name=Safari, > version=[ > major=11601

Re: [Bro-Dev] Better Handling of User Agents in Software Framework

2015 at 3:24 PM, Seth Hall wrote: > > > On Dec 14, 2015, at 10:51 AM, Vlad Grigorescu > wrote: > > > > I'm not thrilled with those user agents are being handled right now, and > I'm curious to get some thoughts. Take, for example the Safari user-agent >

[Bro-Dev] Bro failing to build on OS X with XCode 7

I can't get Bro master to build with XCode 7 on OS X. For anyone trying to build Bro on a new OS X system, this is a problem, since I don't think old versions of XCode are still available. > $ cc -v > Apple LLVM version 7.0.2 (clang-700.1.81) > Target: x86_64-apple-darwin15.2.0 > Thread model: pos

Re: [Bro-Dev] SMB2 - NTLM GSSAPI messages

My intention for this was to do the parsing at the PAC level, but it wasn't possible at the time. In the meantime, BinPAC now supports including files from other directories, so just how ASN1 is now a BinPAC library shared by SNMP and Kerberos, I would envision GSSAPI to become a library. This woul

Re: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal

t; > > --- > > > > Key: BIT-1506 > > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > > Project: Bro Issue Tracker > > Issue Type: Problem > >

Re: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity

I'm not sure I agree without additional context. ICMP exfil is a known technique. Wouldn't you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic? What I would recommend instead is simply adding the protoco

Re: [Bro-Dev] Deleting old branches

Hooray, thanks for taking this on! I just did a quick check for branches named ticket* or bit* and all those tickets have been closed (I wanted to check if they had been left open with the idea that someone would circle back to that branch and add feature X). >From my end, all the topic/vladg bran

Re: [Bro-Dev] which of these Lintian error messages need tickets?

I'll take a shot: > *1. binary file built without LFS support* > binpac: > binary-file-built-without-LFS-support > > usr/bin/binpac > > bro (2.4.1+dfsg-2+b3; main): > binary-file-built-without-LFS-support >

Re: [Bro-Dev] CBAN design proposal

I think we're generally on the same page, but I wanted to elaborate a bit on what I envisioned with the plugin submission process. When a contributor submits a new script, there would be some mandatory checks that would need to pass for the script to be included: * Is the plugin structure valid?

Re: [Bro-Dev] CBAN naming

I don't like the name CBAN, for a number of reasons. The are a number of C?AN's out there. I believe that CTAN was the first one (TeX), and then CPAN (Perl), CRAN (R), and CEAN (Erlang) followed. The architecture of CPAN was also ported for CCAN (C) and JSAN (Javascript). Because these all share

Re: [Bro-Dev] CBAN naming

Having reread through the discussion, I want to try to take a step back and review some of it. I believe there are two goals in play: 1) From a user's perspective, the principle of least astonishment. Names matter, and choosing something intuitive or familiar means we're not raising the barrier t

[Bro-Dev] Splitting up init-bare?

What do people think about splitting up portions of init-bare into separate files, and having init-bare simply @load those files? Right now, it's a 4500+ line script that keeps growing, and it commonly results in conflicts. For the protocols, I could see having a file such as protocols/kerberos/ba

Re: [Bro-Dev] 2.5.1 release?

Correct, I agree. I just did another review of CHANGES, and didn't spot anything concerning. We'll look at upgrading our test cluster (and UIUC's test cluster) to master. On Fri, May 12, 2017 at 8:48 PM, Slagell, Adam J wrote: > > > > On May 12, 2017, at 4:09 PM, Seth Hall wrote: > > > > I'd be

Re: [Bro-Dev] Protocol Analyzer Plugin Question

On Mon, May 15, 2017 at 1:46 PM, Aaron Eppert wrote: > Greetings, > > In working on authoring a new protocol analyzer plugin I have encountered > the following issues: > > 1) When adding a new type to be passed to an event handler, thus handled > upstream by a protocol analyzer script, types.bif

Re: [Bro-Dev] Protocol Analyzer Plugin Question

On Mon, May 15, 2017 at 5:14 PM, Vlad Grigorescu wrote: > > Add it to init-bare.bro. e.g.: https://github.com/bro/bro/com > mit/11ec4903ee0cbd3cdb555c309f67ce399b23e37b#diff-64e7fba4a9 > 8f6581a47aa0053e9f03c6 > Oops, reread what I sent and realized it wouldn't work, si

[Bro-Dev] Source Package for caf?

About a year ago, I was trying to get the Bro test suite running in Travis CI. To make this easier, I was trying to get caf added as a whitelisted package to Travis CI. Unfortunately, this failed because there was no source package available for caf: https://travis-ci.org/travis-ci/apt-whitelist-c

Re: [Bro-Dev] Configuration framework syntax proposal

First of all, thanks to Johanna for getting this discussion going, and thanks to everyone who's weighed in so far. I'm really excited to see this feature in Bro, and I'm also happy to see how much interest this has already garnered. To extend what Seth said about our two user groups -- I think tha

[Bro-Dev] UDP connection_established event?

I would like to propose a new event in Bro, one that would fire when a UDP connection is established (i.e. a response is observed within some time frame after a request is seen). Basically, the UDP equivalent of connection_established. Currently, I think the only way to do this would be either wit

Re: [Bro-Dev] UDP connection_established event?

the current event model a bit better. On Mon, Mar 5, 2018 at 4:55 AM, Jan Grashöfer wrote: > On 02/03/18 03:52, Vlad Grigorescu wrote: > > I would like to propose a new event in Bro, one that would fire when a > UDP > > connection is established (i.e. a response is observed wi

Re: [Bro-Dev] Weirdness with event ssh_capabilities

Hi John, First, here's code that works: http://try.bro.org/#/trybro/saved/228261 (This is longer, because technically, clients and servers can specify different algs for each direction). Here's the relevant bit of Bro code: https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.br

[Bro-Dev] How to deal with stale branches?

I have a couple of branches that, for whatever reason, aren't headed for a merge request into master. The branches were left around for reference, in case someone wanted to pick up and continue the work. However, this too now looks very unlikely, as some of these are several years old, and of quest

Re: [Bro-Dev] How to deal with stale branches?

Yeah, that's certainly one option, but I think it'd be hard for people to find. On Thu, Apr 26, 2018 at 8:15 PM, Jon Siwek wrote: > > > On 4/26/18 11:06 AM, Vlad Grigorescu wrote: > > I'm torn between deleting the branches, in an effort to not clog up git >>

[Bro-Dev] bro-devel package?

There are a couple of cases where I think it'd be useful to have a bro-devel package -- a package that I can install on a system, and then be able to build plugins against Bro. (This is the same model as other *-devel packages, such as openssl, libpcap, etc.) Right now, if I compile Bro from sourc

Re: [Bro-Dev] $history extensions - zero windows, logarithmic counts

I think this is a useful feature. I'm a bit unclear on the logarithmic counts. Take, for instance SaDtTtT. If I'm reading this correctly, I think that means 10-99 retransmissions from orig, followed by 10-99 from resp, then more retransmissions from orig (enough to reach a total of 100-999), and si

Re: [Bro-Dev] DHCP event removal

Yeah, I've mainly seen it used for shellshock. On top of that, I saw some scripts in GitHub that used it from: - Michal: https://github.com/michalpurzynski/bro-gramming/blob/master/dhcpr.bro - Matthias: https://github.com/bro/bro-scripts/blob/master/roam.bro - Grant Stavely: https://github.com/eve

Re: [Bro-Dev] $history extensions - zero windows, logarithmic counts

On Fri, Jun 15, 2018 at 9:54 PM, Vern Paxson wrote: > > it unclear on the logarithmic > > counts. Take, for instance SaDtTtT. If I'm reading this correctly, I > think > > that means 10-99 retransmissions from orig, followed by 10-99 from resp, > > then more retransmissions from orig (enough to re

Re: [Bro-Dev] DHCP event removal

Yep, already working on it. :-) On Sat, Jun 16, 2018 at 6:26 AM, Seth Hall wrote: > > On 15 Jun 2018, at 17:22, Azoff, Justin S wrote: > > > The fix is a little trickier, you can't handle both events because the > > DHCP::Msg type no longer exists and you need to wrap the old event > > with > >

Re: [Bro-Dev] DHCP event removal

On Fri, Jun 15, 2018 at 9:38 PM, Vlad Grigorescu wrote: > Even if it's not widely used, I think it'd be a nicer user experience if > we were to ship a script that handled dhcp_message, and raised the old > events. We could mark the old events as deprecated, and remove them in

Re: [Bro-Dev] JIRA to GitHub ticket migration plan

On Sat, Sep 15, 2018 at 1:28 AM Robin Sommer wrote: > Are Jenkins and Coverity already pulling from GitHub? > No, I thought Jenkins was pushing to Coverity. Is the plan to have GitHub issues within each repo? That is, bro, binpac, etc. I think we'd lose the easy way to see all issues, but if I

Re: [Bro-Dev] S7Comm/S7CommPlus Analyzer

Hi Dane, Thanks for sending this along. I'll have to check it out. One thing I noticed -- do you mind filling out the license in COPYING.edit-me? Without a valid copyright, it's hard to figure out what all we can do this. Thanks, --Vlad On Sun, Sep 23, 2018 at 3:04 PM DW wrote: > Hi there,

[Bro-Dev] SSH Capabilities Bug: Fix for 2.6?

During BroCon, someone brought a bug in the SSH analyzer to my attention. The SSH Capabilities record has the following field, which is being set incorrectly: ## Are these the capabilities of the server? > is_server: bool; > > result->Assign(6, new Val(${msg.is_

Re: [Bro-Dev] SSH Capabilities Bug: Fix for 2.6?

Sure, I'll do that. On Mon, Oct 15, 2018 at 16:19 Jon Siwek wrote: > On Mon, Oct 15, 2018 at 3:33 PM Vlad Grigorescu wrote: > > > The SSH Capabilities record has the following field, which is being set > incorrectly: > > > >> ## Are t

Re: [Bro-Dev] SSH Capabilities Bug: Fix for 2.6?

Just for anyone who wanted some closure on this, I've submitted the PR: https://github.com/bro/bro/pull/191 On Mon, Oct 15, 2018 at 10:21 PM Vlad Grigorescu wrote: > Sure, I'll do that. > On Mon, Oct 15, 2018 at 16:19 Jon Siwek wrote: > >> On Mon, Oct 15, 2018 at 3:33

[Bro-Dev] bro-pkg Bro version requirements

It strikes me that as Bro development marches on, package maintainers don't have great choices in terms of maintaining compatibility with multiple Bro versions. For JA3, to maintain compatibility, you have to do something like this, due to the SSL event change: @if ( Version::at_least("2.6") ) > e

Re: [Bro-Dev] Any 2.6 release blockers?

I'd really like to fix this: https://github.com/bro/bro/issues/195 I've gotten reports from a few people that that fills up the disk in environments that encrypt MySQL. I'll take one more crack at it now. --Vlad On Mon, Oct 29, 2018 at 7:22 PM Jon Siwek wrote: > Anyone have any last minute i

Re: [Bro-Dev] Any 2.6 release blockers?

Ok, just submitted: https://github.com/bro/bro/pull/198 On Mon, Oct 29, 2018 at 7:24 PM Vlad Grigorescu wrote: > I'd really like to fix this: https://github.com/bro/bro/issues/195 > > I've gotten reports from a few people that that fills up the disk in > environments th

Re: [Bro-Dev] attributes & named types

To better understand the existing behavior, here's the commit that introduced this (specifically with regards to conn_id): https://github.com/bro/bro/commit/38a1aa5a346d10de32f9b40e0869cdb48a98974b > The &log keyword now operates as discussed: > > - When associated with individual record field

Re: [Bro-Dev] attributes & named types

On Sat, Nov 3, 2018 at 9:14 PM Vern Paxson wrote: > Thanks for the pointers & thoughts! A quick question, more in a bit: > > > To better understand the existing behavior, here's the commit that > > introduced this (specifically with regards to conn_id): > > > https://github.com/bro/bro/commit/38

Re: [Bro-Dev] attributes & named types

On Mon, Nov 5, 2018 at 4:40 PM Robin Sommer wrote: > > > On Sat, Nov 03, 2018 at 21:58 +0000, Vlad Grigorescu wrote: > > > In my mind, if the keyword is applied to a record, I would expect any new > > fields added to that record to also be logged. > > I believe th

[Bro-Dev] Should Bro Ignore PCAP Checksums by Default?

Just wanted to offer this up for discussion: Someone recently asked me if there were any "gotchas" to trying Bro. The only thing that I could think of is that if you're reading a PCAP with incorrect checksums, you need to use the -C flag. Having to point this out got me thinking - should this n

Re: [Bro-Dev] Planing for a 2.2 beta

On Aug 12, 2013, at 12:04 PM, Robin Sommer wrote: >- DHCP script cleanup (Seth/Vlad; see BIT-1050) Yep, I'll work on this with Seth. >- SIP analyzer (Vlad; going to happen?) I just have one issue to figure out in BinPAC, to implement this correctly. Right now I'm relying on is_orig,

Re: [Bro-Dev] Planing for a 2.2 beta

On Aug 22, 2013, at 12:58 PM, Robin Sommer wrote: >>- DHCP script cleanup (Seth/Vlad; see BIT-1050) > > Pending. > >>- SIP analyzer (Vlad; going to happen?) > > Pending. Yeah, sorry about that. Getting SumStats working again was a big priority for CMU, so I've been focusing on that

[Bro-Dev] [JIRA] (BIT-1351) Rename the ASCII writer to file writer

[ https://bro-tracker.atlassian.net/browse/BIT-1351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1351: - Fix Version/s: 2.5 > Rename the ASCII writer to file wri

[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20109#comment-20109 ] Vlad Grigorescu commented on BIT-1344: -- {quote} is there a reason why you do not regi

[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20114#comment-20114 ] Vlad Grigorescu commented on BIT-1344: -- Fair enough. I'll get that added.

[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20115#comment-20115 ] Vlad Grigorescu commented on BIT-1344: -- I committed a change to register the analyze

[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu reassigned BIT-1344: Assignee: Johanna Amann (was: Vlad Grigorescu) > New SSH Analy

[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer

Vlad Grigorescu created BIT-1370: Summary: SIP Analyzer Key: BIT-1370 URL: https://bro-tracker.atlassian.net/browse/BIT-1370 Project: Bro Issue Tracker Issue Type: New Feature

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

Vlad Grigorescu created BIT-1369: Summary: Kerberos Analyzer Key: BIT-1369 URL: https://bro-tracker.atlassian.net/browse/BIT-1369 Project: Bro Issue Tracker Issue Type: New Feature

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1369: - Fix Version/s: 2.4 > Kerberos Analyzer > - > > K

[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1370: - Fix Version/s: 2.4 > SIP Analyzer > > > K

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20319#comment-20319 ] Vlad Grigorescu commented on BIT-1365: -- This is fixed in topic/vladg/ssh. When fi

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1365: - Status: Merge Request (was: Open) > direction field of SSH::Info no longer popula

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20320#comment-20320 ] Vlad Grigorescu commented on BIT-1369: -- I merged master, updated the tests (no change

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1369: - Status: Merge Request (was: Open) > Kerberos Analy

[Bro-Dev] [JIRA] (BIT-1379) PE File Analyzer

Vlad Grigorescu created BIT-1379: Summary: PE File Analyzer Key: BIT-1379 URL: https://bro-tracker.atlassian.net/browse/BIT-1379 Project: Bro Issue Tracker Issue Type: New Feature

[Bro-Dev] [JIRA] (BIT-1379) PE File Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1379: - Status: Merge Request (was: Open) > PE File Analyzer > > >

[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20323#comment-20323 ] Vlad Grigorescu commented on BIT-1370: -- I merged master, updated the tests (no change

[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1370: - Status: Merge Request (was: Open) > SIP Analyzer > > >

[Bro-Dev] [JIRA] (BIT-1380) Files::add_analyzer documentation has too many fields

Vlad Grigorescu created BIT-1380: Summary: Files::add_analyzer documentation has too many fields Key: BIT-1380 URL: https://bro-tracker.atlassian.net/browse/BIT-1380 Project: Bro Issue Tracker

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20401#comment-20401 ] Vlad Grigorescu commented on BIT-1365: -- > Any reason why local-local couldn'

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20407#comment-20407 ] Vlad Grigorescu commented on BIT-1369: -- > Mind if I rename the krb.log to kerbe

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20413#comment-20413 ] Vlad Grigorescu commented on BIT-1369: -- I tweaked the kinit btest to print output for

[Bro-Dev] [JIRA] (BIT-1384) Optimize option leads to internal error

Vlad Grigorescu created BIT-1384: Summary: Optimize option leads to internal error Key: BIT-1384 URL: https://bro-tracker.atlassian.net/browse/BIT-1384 Project: Bro Issue Tracker Issue Type

[Bro-Dev] [JIRA] (BIT-1394) Github commit seems to have possible configure issues?

[ https://bro-tracker.atlassian.net/browse/BIT-1394?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20602#comment-20602 ] Vlad Grigorescu commented on BIT-1394: -- When working with Bro behind an HTTP proxy, I

[Bro-Dev] [JIRA] (BIT-1412) Documentation/control of Jira markup shortcuts?

[ https://bro-tracker.atlassian.net/browse/BIT-1412?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20908#comment-20908 ] Vlad Grigorescu commented on BIT-1412: -- I don't think they're modifiabl

[Bro-Dev] [JIRA] (BIT-1412) Documentation/control of Jira markup shortcuts?

[ https://bro-tracker.atlassian.net/browse/BIT-1412?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20910#comment-20910 ] Vlad Grigorescu commented on BIT-1412: -- Ah, my mistake. I believe the editor short

[Bro-Dev] [JIRA] (BIT-1410) tx_hosts and rx_hosts switched in files.log

[ https://bro-tracker.atlassian.net/browse/BIT-1410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20911#comment-20911 ] Vlad Grigorescu commented on BIT-1410: -- Fix is in branch topic/vladg/bit-1410 in bro,

[Bro-Dev] [JIRA] (BIT-1410) tx_hosts and rx_hosts switched in files.log

[ https://bro-tracker.atlassian.net/browse/BIT-1410?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1410: - Status: Merge Request (was: Open) > tx_hosts and rx_hosts switched in files.

[Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub

Vlad Grigorescu created BIT-1413: Summary: README files misidentified by GitHub Key: BIT-1413 URL: https://bro-tracker.atlassian.net/browse/BIT-1413 Project: Bro Issue Tracker Issue Type

[Bro-Dev] [JIRA] (BIT-1414) Make PIE option availalbe during compiling

[ https://bro-tracker.atlassian.net/browse/BIT-1414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20912#comment-20912 ] Vlad Grigorescu commented on BIT-1414: -- It worked just fine for me. What issues were

[Bro-Dev] [JIRA] (BIT-1414) Make PIE option availalbe during compiling

[ https://bro-tracker.atlassian.net/browse/BIT-1414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21001#comment-21001 ] Vlad Grigorescu commented on BIT-1414: -- There are two compiler/linker flags you can

[Bro-Dev] [JIRA] (BIT-1414) Make PIE option availalbe during compiling

[ https://bro-tracker.atlassian.net/browse/BIT-1414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21001#comment-21001 ] Vlad Grigorescu edited comment on BIT-1414 at 6/15/15 5:0

[Bro-Dev] [JIRA] (BIT-1427) rare SSH successful login heuristic FPs

[ https://bro-tracker.atlassian.net/browse/BIT-1427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21005#comment-21005 ] Vlad Grigorescu commented on BIT-1427: -- The heuristic was removed in Bro 2.4 and repl

  1   2   >