[Bro-Dev] [Auto] Merge Status
Open Merge Requests === IDComponentReporterAssigneeUpdated For Version PrioritySummary --- -- -- -- - -- BIT-1122 [1] Bro Jon Siwek Seth Hall 2014-01-28 2.3 Normal topic/jsiwek/dns-improvements [2] BIT-1121 [3] BroControl Daniel Thayer - 2014-01-28 2.3 Normal topic/dnthayer/test-improvements [4] BIT-1120 [5] Bro Bernhard Amann - 2014-01-27 2.3 Normal Fix & extend x509_extension event BIT-1119 [6] Bro Jon Siwek - 2014-01-28 2.3 Normal topic/jsiwek/tcp-improvements [7] Open Fastpath Commits == Commit ComponentAuthor DateSummary --- --- -- -- - 62b3cb0 [8] bro Bernhard Amann 2014-01-28 Also use exec-module test to check for leaks. [1] BIT-1122 https://bro-tracker.atlassian.net/browse/BIT-1122 [2] dns-improvements https://github.com/bro/bro/tree/topic/jsiwek/dns-improvements [3] BIT-1121 https://bro-tracker.atlassian.net/browse/BIT-1121 [4] test-improvements https://github.com/bro/brocontrol/tree/topic/dnthayer/test-improvements [5] BIT-1120 https://bro-tracker.atlassian.net/browse/BIT-1120 [6] BIT-1119 https://bro-tracker.atlassian.net/browse/BIT-1119 [7] tcp-improvements https://github.com/bro/bro/tree/topic/jsiwek/tcp-improvements [8] 62b3cb0 https://github.com/bro/bro/commit/62b3cb0a5b7bdd8fed1d7d0dae3337115b2feae7 ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements
[
https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15304#comment-15304
]
Jon Siwek commented on BIT-1119:
{quote}
I'm going ahead merging this but I'm wondering about the new
detect_filtered_trace flag. It's pretty common (in the research world, anyways
to run Bro on a SYN/FIN/RST trace and I imagine having this by default off can
add a lot for warnings in that case. Can we add some other heuristic to detect
such a trace (i.e., guess whether detect_filtered_trace should be on) ? A
(very) coarse approach would simply be a global variable recording if we've
ever seen anything else than a TCP control packet. Thoughts?
{quote}
If a person found out that Bro automatically switched modes part way through
the trace, they will probably just re-run after manually toggling the option,
right? Maybe treat it in a similar way to checksums -- have a FAQ and/or have
some script warn if all TCP connections are missing 100% of content and suggest
toggling {{detect_filtered_trace}} if the person would like to trade off
correctness for minimized output. But if it's actually not that important for
a person using filtered traces to minimize output, I think it's fine enough as
is?
> topic/jsiwek/tcp-improvements
> -
>
> Key: BIT-1119
> URL: https://bro-tracker.atlassian.net/browse/BIT-1119
> Project: Bro Issue Tracker
> Issue Type: Improvement
> Components: Bro
>Affects Versions: git/master
>Reporter: Jon Siwek
> Fix For: 2.3
>
>
> This branch is in the bro, bro-testing, and bro-testing-private repos and has
> a few changes to improve reporting of TCP connection sizes and gaps (commit
> messages explain in more detail).
> The baseline changes in the external repos all seemed reasonable/explainable
> (or actually fix a problem). There's too much changed to go through
> case-by-case and actually check things, but I did do closer examinations of
> unique differences as I came across them (e.g. try to corroborate Bro results
> via wireshark). Then for those that seem to follow the same trend as
> something I already inspected, I wouldn't manually check.
--
This message was sent by Atlassian JIRA
(v6.2-OD-07-028#6211)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements
[
https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15305#comment-15305
]
Robin Sommer commented on BIT-1119:
---
{quote}
have some script warn if all TCP connections are missing 100% of content and
suggest toggling detect_filtered_trace
{quote}
I like that, is that something we can do efficiently?
{quote}
But if it's actually not that important for a person using filtered traces to
minimize output, I think it's fine enough as is?
{quote}
it's less the volume of output but the potential for confusion: one sees it and
starts wondering what's wrong. It's easy to forget that TCP analysis gets
confused because the trace is filtered. So if there was some way to point that
out, that's all it would need.
It's not a biggie but it's indeed in the same category like the checksums:
something easy to get wrong without realizing what's going on, in particular
because we're changing the default here.
> topic/jsiwek/tcp-improvements
> -
>
> Key: BIT-1119
> URL: https://bro-tracker.atlassian.net/browse/BIT-1119
> Project: Bro Issue Tracker
> Issue Type: Improvement
> Components: Bro
>Affects Versions: git/master
>Reporter: Jon Siwek
> Fix For: 2.3
>
>
> This branch is in the bro, bro-testing, and bro-testing-private repos and has
> a few changes to improve reporting of TCP connection sizes and gaps (commit
> messages explain in more detail).
> The baseline changes in the external repos all seemed reasonable/explainable
> (or actually fix a problem). There's too much changed to go through
> case-by-case and actually check things, but I did do closer examinations of
> unique differences as I came across them (e.g. try to corroborate Bro results
> via wireshark). Then for those that seem to follow the same trend as
> something I already inspected, I wouldn't manually check.
--
This message was sent by Atlassian JIRA
(v6.2-OD-07-028#6211)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1121) topic/dnthayer/test-improvements
[ https://bro-tracker.atlassian.net/browse/BIT-1121?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1121: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/dnthayer/test-improvements > > > Key: BIT-1121 > URL: https://bro-tracker.atlassian.net/browse/BIT-1121 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl >Reporter: Daniel Thayer > Fix For: 2.3 > > > Various improvements to the test build scripts to address some > error scenarios and to provide convenience features (added a > new makefile target "rerun" to more easily re-run failed tests, > and scripts now recognize two new env. vars. to enable doing a > non-standard build). Improved the test diff canonifiers > to do more thorough checking, and to workaround an issue in btest-diff > which was causing some failed tests to not be reported as failed. > Added lots of new tests (there are now 50% more test cases) to > fill in gaps in the test coverage. Also improved many existing > tests. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1120) Fix & extend x509_extension event
[ https://bro-tracker.atlassian.net/browse/BIT-1120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1120: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Fix & extend x509_extension event > - > > Key: BIT-1120 > URL: https://bro-tracker.atlassian.net/browse/BIT-1120 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Affects Versions: git/master, 2.2 >Reporter: Bernhard Amann > Fix For: 2.3 > > > Please merge topic/bernhard/fix-x509-extension. > This branch fixes and extends the x509_extension event, which was never > called in the previous implementation. The event now parses the extension > into a bro data structure. If supports printing it, it is converted into the > openssl ascii output, otherwise a raw hex-dump is output. > New event syntax: > event x509_extension(c: connection, is_orig: bool, cert:X509, extension: > X509_extension_info) > Example output for extension: > [name=X509v3 Extended Key Usage, > short_name=extendedKeyUsage, > oid=2.5.29.37, > critical=F, > value=TLS Web Server Authentication, TLS Web Client Authentication] > [name=X509v3 Certificate Policies, >short_name=certificatePolicies, >oid=2.5.29.32, >critical=F, >value=Policy: 1.3.6.1.4.1.6449.1.2.1.3.4^J CPS: > https://secure.comodo.com/CPS^J] -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements
[ https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1119: --- Attachment: signature.asc We could probably do it similarly to how we're doing the detection of invalid checksums by sampling weirds for a little bit. I also like this approach a lot. I think that keeping the default settings of Bro working "correctly" in the normal case is good, but it's awesome to be able to notify people when things are failing and how they could fix it. > topic/jsiwek/tcp-improvements > - > > Key: BIT-1119 > URL: https://bro-tracker.atlassian.net/browse/BIT-1119 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Jon Siwek > Fix For: 2.3 > > Attachments: signature.asc > > > This branch is in the bro, bro-testing, and bro-testing-private repos and has > a few changes to improve reporting of TCP connection sizes and gaps (commit > messages explain in more detail). > The baseline changes in the external repos all seemed reasonable/explainable > (or actually fix a problem). There's too much changed to go through > case-by-case and actually check things, but I did do closer examinations of > unique differences as I came across them (e.g. try to corroborate Bro results > via wireshark). Then for those that seem to follow the same trend as > something I already inspected, I wouldn't manually check. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements
[
https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15307#comment-15307
]
Jon Siwek commented on BIT-1119:
{quote}
it's less the volume of output but the potential for confusion: one sees it and
starts wondering what's wrong. It's easy to forget that TCP analysis gets
confused because the trace is filtered.
{quote}
I might be misremembering (or repressed the details of the TCP code), but isn't
the TCP analysis *less* confused in the face of filtered traces with the
change? i.e. things are now most correct and it actually reports content gaps
so e.g. missing_bytes fields for connections can be populated.
{quote}
but it's awesome to be able to notify people when things are failing and how
they could fix it.
{quote}
I wouldn't say filtered traces fail due to the change, you just get more,
possibly unexpected but not incorrect, output.
(I'm just trying to clarify perspective, not really against idea of sampling
weirds to issue suggestion/warning)
> topic/jsiwek/tcp-improvements
> -
>
> Key: BIT-1119
> URL: https://bro-tracker.atlassian.net/browse/BIT-1119
> Project: Bro Issue Tracker
> Issue Type: Improvement
> Components: Bro
>Affects Versions: git/master
>Reporter: Jon Siwek
> Fix For: 2.3
>
> Attachments: signature.asc
>
>
> This branch is in the bro, bro-testing, and bro-testing-private repos and has
> a few changes to improve reporting of TCP connection sizes and gaps (commit
> messages explain in more detail).
> The baseline changes in the external repos all seemed reasonable/explainable
> (or actually fix a problem). There's too much changed to go through
> case-by-case and actually check things, but I did do closer examinations of
> unique differences as I came across them (e.g. try to corroborate Bro results
> via wireshark). Then for those that seem to follow the same trend as
> something I already inspected, I wouldn't manually check.
--
This message was sent by Atlassian JIRA
(v6.2-OD-07-028#6211)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1123) topic/jdopheid/bro/edits_to_installation_and_getting_started
Jeannette Dopheide created BIT-1123: --- Summary: topic/jdopheid/bro/edits_to_installation_and_getting_started Key: BIT-1123 URL: https://bro-tracker.atlassian.net/browse/BIT-1123 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Jeannette Dopheide Minor grammar edits to Installation and Quick Start pages Also, please let me know if I need to modify future JIRA tickets. Thanks, Jeannette Repository : ssh://g...@bro-ids.icir.org/bro On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started Link : https://github.com/bro/bro/commit/4c52c378d5873abb052d688251f0ec7f5aa1c514 And: Repository : ssh://g...@bro-ids.icir.org/bro On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started Link : https://github.com/bro/bro/commit/af95026348688e0df8c867f67d2a53a3d440cf41 -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1123) topic/jdopheid/bro/edits_to_installation_and_getting_started
[ https://bro-tracker.atlassian.net/browse/BIT-1123?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeannette Dopheide updated BIT-1123: Status: Merge Request (was: Open) > topic/jdopheid/bro/edits_to_installation_and_getting_started > > > Key: BIT-1123 > URL: https://bro-tracker.atlassian.net/browse/BIT-1123 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Jeannette Dopheide > > Minor grammar edits to Installation and Quick Start pages > Also, please let me know if I need to modify future JIRA tickets. > Thanks, > Jeannette > > Repository : ssh://g...@bro-ids.icir.org/bro > On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started > Link : > https://github.com/bro/bro/commit/4c52c378d5873abb052d688251f0ec7f5aa1c514 > And: > Repository : ssh://g...@bro-ids.icir.org/bro > On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started > Link : > https://github.com/bro/bro/commit/af95026348688e0df8c867f67d2a53a3d440cf41 -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1123) topic/jdopheid/bro/edits_to_installation_and_getting_started
[ https://bro-tracker.atlassian.net/browse/BIT-1123?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeannette Dopheide updated BIT-1123: Fix Version/s: 2.3 > topic/jdopheid/bro/edits_to_installation_and_getting_started > > > Key: BIT-1123 > URL: https://bro-tracker.atlassian.net/browse/BIT-1123 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Jeannette Dopheide > Fix For: 2.3 > > > Minor grammar edits to Installation and Quick Start pages > Also, please let me know if I need to modify future JIRA tickets. > Thanks, > Jeannette > > Repository : ssh://g...@bro-ids.icir.org/bro > On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started > Link : > https://github.com/bro/bro/commit/4c52c378d5873abb052d688251f0ec7f5aa1c514 > And: > Repository : ssh://g...@bro-ids.icir.org/bro > On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started > Link : > https://github.com/bro/bro/commit/af95026348688e0df8c867f67d2a53a3d440cf41 -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1125) topic/jsiwek/http-file-id-caching
Jon Siwek created BIT-1125: -- Summary: topic/jsiwek/http-file-id-caching Key: BIT-1125 URL: https://bro-tracker.atlassian.net/browse/BIT-1125 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Jon Siwek Fix For: 2.3 This branch is in bro and bro-testing repos. It adds a file ID caching / "fast path" mechanism to the file analysis API and adapts HTTP to use it for performance improvement. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1125) topic/jsiwek/http-file-id-caching
[ https://bro-tracker.atlassian.net/browse/BIT-1125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1125: --- Status: Merge Request (was: Open) > topic/jsiwek/http-file-id-caching > - > > Key: BIT-1125 > URL: https://bro-tracker.atlassian.net/browse/BIT-1125 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Jon Siwek > Fix For: 2.3 > > > This branch is in bro and bro-testing repos. It adds a file ID caching / > "fast path" mechanism to the file analysis API and adapts HTTP to use it for > performance improvement. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1124) process command misplaces custom scripts
Robin Sommer created BIT-1124:
-
Summary: process command misplaces custom scripts
Key: BIT-1124
URL: https://bro-tracker.atlassian.net/browse/BIT-1124
Project: Bro Issue Tracker
Issue Type: Problem
Components: BroControl
Affects Versions: 2.2
Reporter: Robin Sommer
{noformat}
# cat test.bro
@load base/utils/site
print Site::local_nets;
{noformat}
{{broctl process trace.pcap test.bro}} gives:
{noformat}
error in /usr/local/bro-2.2/share/bro/policy/misc/loaded-scripts.bro, line 4:
syntax error, at or near “module"
{noformat}
I believe it's due to test.bro being placed in the middle of the command line
that {{process}} builds. If I move it to the end, it works fine.
--
This message was sent by Atlassian JIRA
(v6.2-OD-07-028#6211)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [Auto] Merge Status
Open Merge Requests === IDComponentReporterAssigneeUpdated For Version PrioritySummary --- -- -- -- - -- BIT-1125 [1] Bro Jon Siwek - 2014-01-29 2.3 Normal topic/jsiwek/http-file-id-caching [2] BIT-1123 [3] Bro Jeannette Dopheide - 2014-01-29 2.3 Normal topic/jdopheid/bro/edits_to_installation_and_getting_started [4] BIT-1122 [5] Bro Jon Siwek Seth Hall 2014-01-28 2.3 Normal topic/jsiwek/dns-improvements [6] BIT-1119 [7] Bro Jon Siwek - 2014-01-29 2.3 Normal topic/jsiwek/tcp-improvements [8] Open Fastpath Commits == Commit ComponentAuthor DateSummary --- --- -- -- - 62b3cb0 [9] bro Bernhard Amann 2014-01-28 Also use exec-module test to check for leaks. [1] BIT-1125 https://bro-tracker.atlassian.net/browse/BIT-1125 [2] http-file-id-caching https://github.com/bro/bro/tree/topic/jsiwek/http-file-id-caching [3] BIT-1123 https://bro-tracker.atlassian.net/browse/BIT-1123 [4] edits_to_installation_and_getting_started https://github.com/bro/bro/tree/topic/jdopheid/bro/edits_to_installation_and_getting_started [5] BIT-1122 https://bro-tracker.atlassian.net/browse/BIT-1122 [6] dns-improvements https://github.com/bro/bro/tree/topic/jsiwek/dns-improvements [7] BIT-1119 https://bro-tracker.atlassian.net/browse/BIT-1119 [8] tcp-improvements https://github.com/bro/bro/tree/topic/jsiwek/tcp-improvements [9] 62b3cb0 https://github.com/bro/bro/commit/62b3cb0a5b7bdd8fed1d7d0dae3337115b2feae7 ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
