[Bro-Dev] [JIRA] (BIT-1572) Please merge topic/johanna/intel-uid-fuid

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1572:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Please merge topic/johanna/intel-uid-fuid
> -
>
> Key: BIT-1572
> URL: https://bro-tracker.atlassian.net/browse/BIT-1572
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
> Fix For: 2.5
>
>
> Please merge topic/johanna/intel-uid-fuid. 
> This patch allows users to provide the fuid or the connection id directly, in 
> case they do not have access to either in the event that they handle.
> An example for this is the handling of certificates in SSL, where the fa_file 
> record cannot be retained because this would create a cyclic data structure.
> This patch also provides file IDs for hostname matches in certificates, which 
> was not possible with the previous API.



--
This message was sent by Atlassian JIRA
(v1000.5.0#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1574) Please merge topic/johanna/imap-starttls

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1574?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1574:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Please merge topic/johanna/imap-starttls
> 
>
> Key: BIT-1574
> URL: https://bro-tracker.atlassian.net/browse/BIT-1574
> Project: Bro Issue Tracker
>  Issue Type: New Feature
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merge topic/johanna/imap-starttls
> This adds a very rudimentary IMAP analyzer (binpac based), which parses just 
> enough of the protocol to recognize when a server switches to SSL using 
> StartTLS, switching a connection to the SSL analyzer from this point.



--
This message was sent by Atlassian JIRA
(v1000.5.0#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1449) Wrap Broker Bifs into script-level functions

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1449:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Wrap Broker Bifs into script-level functions
> 
>
> Key: BIT-1449
> URL: https://bro-tracker.atlassian.net/browse/BIT-1449
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Robin Sommer
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> When working with Broker in Bro, one currently calls its bifs directly. That 
> works just fine, but is a problem for documentation: the bifs are defined 
> outside of the Broker framework, splitting the information across two places.
> We should do here what other framework do: rename the Bifs to have 
> internal-only names ({{__}}) and then provide wrapper functions inside 
> the framework that just forward to those internals ones.



--
This message was sent by Atlassian JIRA
(v1000.5.0#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1449) Wrap Broker Bifs into script-level functions

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=26003#comment-26003
 ] 

Robin Sommer commented on BIT-1449:
---

Nice, thanks!

> Wrap Broker Bifs into script-level functions
> 
>
> Key: BIT-1449
> URL: https://bro-tracker.atlassian.net/browse/BIT-1449
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Robin Sommer
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> When working with Broker in Bro, one currently calls its bifs directly. That 
> works just fine, but is a problem for documentation: the bifs are defined 
> outside of the Broker framework, splitting the information across two places.
> We should do here what other framework do: rename the Bifs to have 
> internal-only names ({{__}}) and then provide wrapper functions inside 
> the framework that just forward to those internals ones.



--
This message was sent by Atlassian JIRA
(v1000.5.0#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1449) Wrap Broker Bifs into script-level functions

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1449:
-

Assignee: Robin Sommer

> Wrap Broker Bifs into script-level functions
> 
>
> Key: BIT-1449
> URL: https://bro-tracker.atlassian.net/browse/BIT-1449
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Robin Sommer
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> When working with Broker in Bro, one currently calls its bifs directly. That 
> works just fine, but is a problem for documentation: the bifs are defined 
> outside of the Broker framework, splitting the information across two places.
> We should do here what other framework do: rename the Bifs to have 
> internal-only names ({{__}}) and then provide wrapper functions inside 
> the framework that just forward to those internals ones.



--
This message was sent by Atlassian JIRA
(v1000.5.0#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1567) Please merge topic/johanna/intel-cert-hash

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1567:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Please merge topic/johanna/intel-cert-hash
> --
>
> Key: BIT-1567
> URL: https://bro-tracker.atlassian.net/browse/BIT-1567
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master, 2.4
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merge topic/johanna/intel-cert-hash; this patch makes it so that the 
> indicator type INTEL::CERT_HASH actually matches against certificate hashes



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-05-030#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1567) Please merge topic/johanna/intel-cert-hash

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1567:
-

Assignee: Robin Sommer

> Please merge topic/johanna/intel-cert-hash
> --
>
> Key: BIT-1567
> URL: https://bro-tracker.atlassian.net/browse/BIT-1567
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master, 2.4
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merge topic/johanna/intel-cert-hash; this patch makes it so that the 
> indicator type INTEL::CERT_HASH actually matches against certificate hashes



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-05-030#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1557) broccoli code examples don't compile

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1557:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> broccoli code examples don't compile
> 
>
> Key: BIT-1557
> URL: https://bro-tracker.atlassian.net/browse/BIT-1557
> Project: Bro Issue Tracker
>  Issue Type: Task
>  Components: Broccoli
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>Priority: Low
> Fix For: 2.5
>
>
> In the broccoli manual, there are code examples, and some of them contain
> errors that prevent the code from compiling.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-05-030#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1528) SNMP and SIP scans show up in known services.

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1528:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> SNMP and SIP scans show up in known services.
> -
>
> Key: BIT-1528
> URL: https://bro-tracker.atlassian.net/browse/BIT-1528
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Justin Azoff
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> It appears that single packet SIP and SNMP scans cause the destination host 
> to end up in known_services as running a SIP or SNMP service, even though 
> they are not running that service and did not respond to the packet.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-05-030#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1528) SNMP and SIP scans show up in known services.

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1528:
-

Assignee: Robin Sommer

> SNMP and SIP scans show up in known services.
> -
>
> Key: BIT-1528
> URL: https://bro-tracker.atlassian.net/browse/BIT-1528
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Justin Azoff
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> It appears that single packet SIP and SNMP scans cause the destination host 
> to end up in known_services as running a SIP or SNMP service, even though 
> they are not running that service and did not respond to the packet.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-05-023#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1557) broccoli code examples don't compile

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1557:
-

Assignee: Robin Sommer

> broccoli code examples don't compile
> 
>
> Key: BIT-1557
> URL: https://bro-tracker.atlassian.net/browse/BIT-1557
> Project: Bro Issue Tracker
>  Issue Type: Task
>  Components: Broccoli
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>Priority: Low
> Fix For: 2.5
>
>
> In the broccoli manual, there are code examples, and some of them contain
> errors that prevent the code from compiling.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-05-023#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1533) mysql analyzer does not set service to mysql

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1533:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> mysql analyzer does not set service to mysql
> 
>
> Key: BIT-1533
> URL: https://bro-tracker.atlassian.net/browse/BIT-1533
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Justin Azoff
>Assignee: Robin Sommer
>Priority: Low
>
> The mysql analyzer does not set the service to mysql.  The result of this is 
> that conn.log and known_services do not show 'mysql' anywhere.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-04-029#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1533) mysql analyzer does not set service to mysql

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1533:
-

Assignee: Robin Sommer

> mysql analyzer does not set service to mysql
> 
>
> Key: BIT-1533
> URL: https://bro-tracker.atlassian.net/browse/BIT-1533
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Justin Azoff
>Assignee: Robin Sommer
>Priority: Low
>
> The mysql analyzer does not set the service to mysql.  The result of this is 
> that conn.log and known_services do not show 'mysql' anywhere.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-04-029#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1553) Please merge topic/johanna/filter_subnet_table

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1553:
-

Assignee: Robin Sommer

> Please merge topic/johanna/filter_subnet_table
> --
>
> Key: BIT-1553
> URL: https://bro-tracker.atlassian.net/browse/BIT-1553
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
>
> Please merge topic/johanna/filter_subnet_table
> This branch adds the filter_subnet_table bif. This bif works similar to the 
> matching_subnet bif. The difference is that, instead of returning a vector of 
> the subnets that match, we return a filtered view of the original set/table 
> only containing the changed subnets.
> The branch also fixes a small bug in TableVal::UpdateTimestamp (ReadOperation 
> only has to be called when LoggingAccess() is true).



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-04-029#72002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1550) Please merge topic/johanna/netcontrol

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1550?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1550:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Please merge topic/johanna/netcontrol
> -
>
> Key: BIT-1550
> URL: https://bro-tracker.atlassian.net/browse/BIT-1550
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merge topic/johanna/netcontrol, which contains the NetControl 
> framework and some small core changes necessary for it.
> The core changes are:
>  - add support for the PrefixTable and patricia tree to dump lists of covered 
> IP addresses
>  - add a number of bifs
>  - add tracking of recursive types to prevent crash when a function contains 
> a record as an argument in which the function is a member of
> The framework will get a few small updates in the future. However, these 
> mostly should be small missing features and either not affect the API at all, 
> or only contain minor changes.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-014#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1550) Please merge topic/johanna/netcontrol

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1550?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1550:
-

Assignee: Robin Sommer

> Please merge topic/johanna/netcontrol
> -
>
> Key: BIT-1550
> URL: https://bro-tracker.atlassian.net/browse/BIT-1550
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merge topic/johanna/netcontrol, which contains the NetControl 
> framework and some small core changes necessary for it.
> The core changes are:
>  - add support for the PrefixTable and patricia tree to dump lists of covered 
> IP addresses
>  - add a number of bifs
>  - add tracking of recursive types to prevent crash when a function contains 
> a record as an argument in which the function is a member of
> The framework will get a few small updates in the future. However, these 
> mostly should be small missing features and either not affect the API at all, 
> or only contain minor changes.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-014#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1543) Kafka Logger - Writes Bro Logs to Kafka

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1543?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1543:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Kafka Logger - Writes Bro Logs to Kafka
> ---
>
> Key: BIT-1543
> URL: https://bro-tracker.atlassian.net/browse/BIT-1543
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Reporter: Nick Allen
>Assignee: Robin Sommer
>
> As part of the Apache Metron project, we needed a way to send Bro logs to 
> Kafka. From my research it seems like this is a common request. I'd rather 
> give this code back to the Bro community than maintain it as part of Apache 
> Metron.
> This Bro plugin logs all Bro output to Kafka. Configuring this plugin is as 
> simple as adding the following Bro script.
> {{  
>   @load Bro/Kafka/logs-to-kafka.bro
>   redef Kafka::logs_to_send = set(Conn::LOG, HTTP::LOG, DNS::LOG);
>   redef Kafka::topic_name = "bro";
>   redef Kafka::kafka_conf = table(
>   ["metadata.broker.list"] = "localhost:9092"
>   );
> }}
> This plugin has the following features.
> * The user can specify a subset of all logs that should be sent to kafka. For 
> example, to only send conn, http, and dns logs, specify the following.
> {{redef Kafka::logs_to_send = set(Conn::LOG, HTTP::LOG, DNS::LOG);
> }}
> * Full configurability of Kafka connectivity. Any configuration setting 
> accepted by the librdkafka library can be passed to the plugin to tune how 
> the logs are sent to Kafka.
> {{redef Kafka::kafka_conf = table(
>["metadata.broker.list"] = "localhost:9092",
>["client.id"] = "bro"
> );
> }}
> * The plugin will wait a configurable period of time (for example, 3 seconds) 
> after shutdown to attempt to send any queued messages to Kafka.
> {{redef Kafka::max_wait_on_shutdown = 3000;
> }}
> * There are two message formats to choose from. By default, the standard Bro 
> JSON format is used. There is an alternative 'tagged JSON' format that is 
> provided by the plugin. Currently, all messages are sent to a single Bro 
> topic. This 'tagged JSON' format helps a Kafka consumer distinguish which log 
> stream the message originated from. This format prepends the log stream 
> identifier to the JSON message.
> {{{'conn': { ... }}
> {'http': { ... }}
> {'dns': { ... 
> To enable this alternative format, simply specify the following.
> {{redef Kafka::tag_json = T;}}



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-014#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1546) Please merge topic/johanna/str-functions

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1546:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Please merge topic/johanna/str-functions
> 
>
> Key: BIT-1546
> URL: https://bro-tracker.atlassian.net/browse/BIT-1546
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> topic/johanna/str-functions replaces a few string functions in Bro with 
> functions provided by the standard operating system libraries.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-012#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1543) Kafka Logger - Writes Bro Logs to Kafka

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1543?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1543:
-

Assignee: Robin Sommer  (was: Seth Hall)

> Kafka Logger - Writes Bro Logs to Kafka
> ---
>
> Key: BIT-1543
> URL: https://bro-tracker.atlassian.net/browse/BIT-1543
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Reporter: Nick Allen
>Assignee: Robin Sommer
>
> As part of the Apache Metron project, we needed a way to send Bro logs to 
> Kafka. From my research it seems like this is a common request. I'd rather 
> give this code back to the Bro community than maintain it as part of Apache 
> Metron.
> This Bro plugin logs all Bro output to Kafka. Configuring this plugin is as 
> simple as adding the following Bro script.
> {{  
>   @load Bro/Kafka/logs-to-kafka.bro
>   redef Kafka::logs_to_send = set(Conn::LOG, HTTP::LOG, DNS::LOG);
>   redef Kafka::topic_name = "bro";
>   redef Kafka::kafka_conf = table(
>   ["metadata.broker.list"] = "localhost:9092"
>   );
> }}
> This plugin has the following features.
> * The user can specify a subset of all logs that should be sent to kafka. For 
> example, to only send conn, http, and dns logs, specify the following.
> {{redef Kafka::logs_to_send = set(Conn::LOG, HTTP::LOG, DNS::LOG);
> }}
> * Full configurability of Kafka connectivity. Any configuration setting 
> accepted by the librdkafka library can be passed to the plugin to tune how 
> the logs are sent to Kafka.
> {{redef Kafka::kafka_conf = table(
>["metadata.broker.list"] = "localhost:9092",
>["client.id"] = "bro"
> );
> }}
> * The plugin will wait a configurable period of time (for example, 3 seconds) 
> after shutdown to attempt to send any queued messages to Kafka.
> {{redef Kafka::max_wait_on_shutdown = 3000;
> }}
> * There are two message formats to choose from. By default, the standard Bro 
> JSON format is used. There is an alternative 'tagged JSON' format that is 
> provided by the plugin. Currently, all messages are sent to a single Bro 
> topic. This 'tagged JSON' format helps a Kafka consumer distinguish which log 
> stream the message originated from. This format prepends the log stream 
> identifier to the JSON message.
> {{{'conn': { ... }}
> {'http': { ... }}
> {'dns': { ... 
> To enable this alternative format, simply specify the following.
> {{redef Kafka::tag_json = T;}}



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-012#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1546) Please merge topic/johanna/str-functions

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1546:
-

Assignee: Robin Sommer

> Please merge topic/johanna/str-functions
> 
>
> Key: BIT-1546
> URL: https://bro-tracker.atlassian.net/browse/BIT-1546
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> topic/johanna/str-functions replaces a few string functions in Bro with 
> functions provided by the standard operating system libraries.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-012#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1547) broctl sets the same state variables over and over

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1547:
-

Assignee: Justin Azoff

> broctl sets the same state variables over and over
> --
>
> Key: BIT-1547
> URL: https://bro-tracker.atlassian.net/browse/BIT-1547
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: BroControl
>Affects Versions: git/master
>Reporter: Justin Azoff
>Assignee: Justin Azoff
> Fix For: 2.5
>
>
> I happened to notice broctl check on one of our test boxes was slow.  traced 
> it to sqlite commits() being very slow.  Then noticed that broctl seems to 
> call set_state() with the same key, val over and over again... once for each 
> worker.. so a few thousand sets just to run broctl check.
> Changing set_state to
> {code}
> # Set a dynamic state variable.
> def set_state(self, key, val):
> key = key.lower()
> if self.state.get(key) == val:
> return
> self.state[key] = val
> self.state_store.set(key, val)
> {code}
> Seemed to mostly fix it, aside from this:
> {code}
> Set manager-port to 47760
> Set manager-port to 47761
> Set manager-port to 47760
> Set manager-port to 47761
> Set manager-port to 47760
> Set manager-port to 47761
> Set manager-port to 47760
> Set manager-port to 47761
> Set manager-port to 47760
> Set manager-port to 47761
> Set manager-port to 47760
> Set manager-port to 47761
> {code}
> any idea why that is flipping around like that?
> We should possibly add a way for broctl to update state vars without calling 
> commit where it knows it will be setting a large number of state vars in a 
> loop.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-012#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1529) Base SIP scripts missing SUBSCRIBE and NOTIFY

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1529?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1529:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Base SIP scripts missing SUBSCRIBE and NOTIFY
> -
>
> Key: BIT-1529
> URL: https://bro-tracker.atlassian.net/browse/BIT-1529
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> The base/protocols/sip/main.bro script has a set in `sip_methods` which needs 
> to have SUBSCRIBE and NOTIFY added.  They're defined in RFC 3265.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1537) bro segfaults after compile in MacOS X 10.11 El Capitan

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1537:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> bro segfaults after compile in MacOS X 10.11 El Capitan
> ---
>
> Key: BIT-1537
> URL: https://bro-tracker.atlassian.net/browse/BIT-1537
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Carlos Terrón
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> After compile with 
> {code}
> ./configure --prefix=/usr/local
> make
> make install
> {code}
> And try to execute bro with:
> {code}
> bro -i en4 local
> {code}
> bro segfaults with
> {code}
> Program received signal SIGSEGV, Segmentation fault.
> 0x0001003045d2 in file_analysis::X509::ParseCertificate (
> cert_val=, fid=)
> at /Users/terron/tmp/bro-2.4.1/src/file_analysis/analyzer/x509/X509.cc:175
> 175   char *exponent = BN_bn2dec(pkey->pkey.rsa->e);
> (gdb) bt
> #0  0x0001003045d2 in file_analysis::X509::ParseCertificate (
> cert_val=, fid=)
> at /Users/terron/tmp/bro-2.4.1/src/file_analysis/analyzer/x509/X509.cc:175
> #1  0x000100303e5d in file_analysis::X509::EndOfFile (this=0x105f8b710)
> at /Users/terron/tmp/bro-2.4.1/src/file_analysis/analyzer/x509/X509.cc:56
> #2  0x00010033f57a in file_analysis::File::EndOfFile (this=0x100961090)
> at /Users/terron/tmp/bro-2.4.1/src/file_analysis/File.cc:522
> #3  0x00010033bc6e in file_analysis::Manager::RemoveFile (
> this=0x105f8b710, file_id=...)
> at /Users/terron/tmp/bro-2.4.1/src/file_analysis/Manager.cc:395
> #4  0x0001002d910a in 
> binpac::TLSHandshake::Handshake_Conn::proc_certificate (this=0x105f8a220, 
> is_orig=false, certificates=0x100961f90)
> at 
> /Users/terron/tmp/bro-2.4.1/build/src/analyzer/protocol/ssl/tls-handshake_pac.cc:180
> #5  0x0001002d99d4 in 
> binpac::TLSHandshake::Handshake_Conn::proc_v3_certificate (this=0x105f8b710, 
> is_orig=16, cl=)
> at 
> /Users/terron/tmp/bro-2.4.1/build/src/analyzer/protocol/ssl/tls-handshake_pac.cc:323
> #6  0x0001002dc430 in binpac::TLSHandshake::Certificate::Parse (
> this=0x105f8a220, t_begin_of_data=, 
> t_end_of_data=0x101022f2e "", t_context=0x10095e480)
> at 
> /Users/terron/tmp/bro-2.4.1/build/src/analyzer/protocol/ssl/tls-handshake_pac.cc:1977
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1535) conn.log conn_state field or documentation is wrong

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1535:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> conn.log conn_state field or documentation is wrong
> ---
>
> Key: BIT-1535
> URL: https://bro-tracker.atlassian.net/browse/BIT-1535
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Justin Azoff
>Assignee: Robin Sommer
>
> There is an issue where the conn.log conn_state field will contain RSTR, 
> which according to the documentation means "Established, responder aborted."
> The problem that I notice is that I see log entries where conn_state is RSTR, 
> but conn_history does not contain an 'h'.  Additionally, the resp_h is 
> absolutely not running a service on resp_p and the orig_h is usually in the 
> process of a tcp scan.
> Here are the top frequencies of RSTR without an h over about a weeks worth of 
> conn logs:
> {code}
> 38193 RSTR  Fr
> 3662 RSTR   DFr
> 1801 RSTR   DFdrR
> 1248 RSTR   DRr
> 432 RSTRDrF
> 232 RSTRFar
> 128 RSTRDdAFrR
> 79 RSTR DFadrR
> 64 RSTR DrR
> 58 RSTR DdAFarR
> {code}
> Compared to histories that did contain an h:
> {code}
> 425398 RSTR ShADadFr
> 204149 RSTR ShADadFrR
> 156303 RSTR ShADdFar
> 141795 RSTR ShADadFRRr
> 105704 RSTR ShADadfr
> 79697 RSTR  ShADadr
> 63493 RSTR  ShADaFr
> 51704 RSTR  ShADadF
> 42075 RSTR  ShADdar
> 37678 RSTR  ShADadfRr
> {code}
> I don't have a pcap for this, but I believe many of the weird connections are 
> related to scans or backscatter.
> I'm not sure if the code is wrong or the documentation is wrong, but I don't 
> see how a fin+reset connection could be classified as established.
> Also, One thing that would be a nice documentation addition is the answer to 
> this question:
> Given a conn.log entry, how do determine if there was a connection 
> established?  I thought it would be if the state was in 'SF S1 S2 S3 RSTO 
> RSTR', but RSTR is problematic...



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1542) Please merge topic/johanna/freebsd9

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1542:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Please merge topic/johanna/freebsd9
> ---
>
> Key: BIT-1542
> URL: https://bro-tracker.atlassian.net/browse/BIT-1542
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merke topic/johanna/freebsd9 in bro and cmake.
> It adds a bit of text to the installation instructions on how to install Bro 
> on FreeBSD 9.X. It also adds tests to cmake that check if C++11 header files 
> are usable; this prevents issues where a new compiler uses the includes of an 
> older one, which apparently can easily happen on old versions of FreeBSD.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1537) bro segfaults after compile in MacOS X 10.11 El Capitan

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=24607#comment-24607
 ] 

Robin Sommer edited comment on BIT-1537 at 3/4/16 10:37 AM:


Is it possible that broccoli needs some tweaking here to? After merging, I get 
lots of these:

{code}
../src/libbroccoli.so.5.1.0: undefined reference to `RAND_seed'
../src/libbroccoli.so.5.1.0: undefined reference to `RAND_pseudo_bytes'
../src/libbroccoli.so.5.1.0: undefined reference to 
`X509_STORE_CTX_get_error_depth'
../src/libbroccoli.so.5.1.0: undefined reference to 
`SSL_CTX_use_PrivateKey_file'
../src/libbroccoli.so.5.1.0: undefined reference to `SSL_CTX_set_cipher_list'
../src/libbroccoli.so.5.1.0: undefined reference to `CRYPTO_set_id_callback'
../src/libbroccoli.so.5.1.0: undefined reference to `SSL_CTX_free'
../src/libbroccoli.so.5.1.0: undefined reference to `SSL_load_error_strings'
../src/libbroccoli.so.5.1.0: undefined reference to 
`CRYPTO_set_dynlock_destroy_call
{code}

I pushed the cmake merge, without yet moving the submodules (so master won't 
pull it in yet). Can you try pulling those cmake updates into the all the 
submodules and see if it compiles fine for you then? 


was (Author: robin):
Is it possible that broccoli needs some tweaking here to? After merging, I get 
lots of these:

{{{
../src/libbroccoli.so.5.1.0: undefined reference to `RAND_seed'
../src/libbroccoli.so.5.1.0: undefined reference to `RAND_pseudo_bytes'
../src/libbroccoli.so.5.1.0: undefined reference to 
`X509_STORE_CTX_get_error_depth'
../src/libbroccoli.so.5.1.0: undefined reference to 
`SSL_CTX_use_PrivateKey_file'
../src/libbroccoli.so.5.1.0: undefined reference to `SSL_CTX_set_cipher_list'
../src/libbroccoli.so.5.1.0: undefined reference to `CRYPTO_set_id_callback'
../src/libbroccoli.so.5.1.0: undefined reference to `SSL_CTX_free'
../src/libbroccoli.so.5.1.0: undefined reference to `SSL_load_error_strings'
../src/libbroccoli.so.5.1.0: undefined reference to 
`CRYPTO_set_dynlock_destroy_call
}}}

I pushed the cmake merge, without yet moving the submodules (so master won't 
pull it in yet). Can you try pulling those cmake updates into the all the 
submodules and see if it compiles fine for you then? 

> bro segfaults after compile in MacOS X 10.11 El Capitan
> ---
>
> Key: BIT-1537
> URL: https://bro-tracker.atlassian.net/browse/BIT-1537
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Carlos Terrón
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> After compile with 
> {code}
> ./configure --prefix=/usr/local
> make
> make install
> {code}
> And try to execute bro with:
> {code}
> bro -i en4 local
> {code}
> bro segfaults with
> {code}
> Program received signal SIGSEGV, Segmentation fault.
> 0x0001003045d2 in file_analysis::X509::ParseCertificate (
> cert_val=, fid=)
> at /Users/terron/tmp/bro-2.4.1/src/file_analysis/analyzer/x509/X509.cc:175
> 175   char *exponent = BN_bn2dec(pkey->pkey.rsa->e);
> (gdb) bt
> #0  0x0001003045d2 in file_analysis::X509::ParseCertificate (
> cert_val=, fid=)
> at /Users/terron/tmp/bro-2.4.1/src/file_analysis/analyzer/x509/X509.cc:175
> #1  0x000100303e5d in file_analysis::X509::EndOfFile (this=0x105f8b710)
> at /Users/terron/tmp/bro-2.4.1/src/file_analysis/analyzer/x509/X509.cc:56
> #2  0x00010033f57a in file_analysis::File::EndOfFile (this=0x100961090)
> at /Users/terron/tmp/bro-2.4.1/src/file_analysis/File.cc:522
> #3  0x00010033bc6e in file_analysis::Manager::RemoveFile (
> this=0x105f8b710, file_id=...)
> at /Users/terron/tmp/bro-2.4.1/src/file_analysis/Manager.cc:395
> #4  0x0001002d910a in 
> binpac::TLSHandshake::Handshake_Conn::proc_certificate (this=0x105f8a220, 
> is_orig=false, certificates=0x100961f90)
> at 
> /Users/terron/tmp/bro-2.4.1/build/src/analyzer/protocol/ssl/tls-handshake_pac.cc:180
> #5  0x0001002d99d4 in 
> binpac::TLSHandshake::Handshake_Conn::proc_v3_certificate (this=0x105f8b710, 
> is_orig=16, cl=)
> at 
> /Users/terron/tmp/bro-2.4.1/build/src/analyzer/protocol/ssl/tls-handshake_pac.cc:323
> #6  0x0001002dc430 in binpac::TLSHandshake::Certificate::Parse (
> this=0x105f8a220, t_begin_of_data=, 
> t_end_of_data=0x101022f2e "", t_context=0x10095e480)
> at 
> /Users/terron/tmp/bro-2.4.1/build/src/analyzer/protocol/ssl/tls-handshake_pac.cc:1977
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1542) Please merge topic/johanna/freebsd9

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=24606#comment-24606
 ] 

Robin Sommer commented on BIT-1542:
---

sure, I'll do it. 



> Please merge topic/johanna/freebsd9
> ---
>
> Key: BIT-1542
> URL: https://bro-tracker.atlassian.net/browse/BIT-1542
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merke topic/johanna/freebsd9 in bro and cmake.
> It adds a bit of text to the installation instructions on how to install Bro 
> on FreeBSD 9.X. It also adds tests to cmake that check if C++11 header files 
> are usable; this prevents issues where a new compiler uses the includes of an 
> older one, which apparently can easily happen on old versions of FreeBSD.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1535) conn.log conn_state field or documentation is wrong

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1535:
-

Assignee: Robin Sommer

> conn.log conn_state field or documentation is wrong
> ---
>
> Key: BIT-1535
> URL: https://bro-tracker.atlassian.net/browse/BIT-1535
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Justin Azoff
>Assignee: Robin Sommer
>
> There is an issue where the conn.log conn_state field will contain RSTR, 
> which according to the documentation means "Established, responder aborted."
> The problem that I notice is that I see log entries where conn_state is RSTR, 
> but conn_history does not contain an 'h'.  Additionally, the resp_h is 
> absolutely not running a service on resp_p and the orig_h is usually in the 
> process of a tcp scan.
> Here are the top frequencies of RSTR without an h over about a weeks worth of 
> conn logs:
> {code}
> 38193 RSTR  Fr
> 3662 RSTR   DFr
> 1801 RSTR   DFdrR
> 1248 RSTR   DRr
> 432 RSTRDrF
> 232 RSTRFar
> 128 RSTRDdAFrR
> 79 RSTR DFadrR
> 64 RSTR DrR
> 58 RSTR DdAFarR
> {code}
> Compared to histories that did contain an h:
> {code}
> 425398 RSTR ShADadFr
> 204149 RSTR ShADadFrR
> 156303 RSTR ShADdFar
> 141795 RSTR ShADadFRRr
> 105704 RSTR ShADadfr
> 79697 RSTR  ShADadr
> 63493 RSTR  ShADaFr
> 51704 RSTR  ShADadF
> 42075 RSTR  ShADdar
> 37678 RSTR  ShADadfRr
> {code}
> I don't have a pcap for this, but I believe many of the weird connections are 
> related to scans or backscatter.
> I'm not sure if the code is wrong or the documentation is wrong, but I don't 
> see how a fin+reset connection could be classified as established.
> Also, One thing that would be a nice documentation addition is the answer to 
> this question:
> Given a conn.log entry, how do determine if there was a connection 
> established?  I thought it would be if the state was in 'SF S1 S2 S3 RSTO 
> RSTR', but RSTR is problematic...



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1542) Please merge topic/johanna/freebsd9

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=24604#comment-24604
 ] 

Robin Sommer commented on BIT-1542:
---

About the cmake change: Wouldn't this new header check better be located in 
{{RequireCXX11}}?

> Please merge topic/johanna/freebsd9
> ---
>
> Key: BIT-1542
> URL: https://bro-tracker.atlassian.net/browse/BIT-1542
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merke topic/johanna/freebsd9 in bro and cmake.
> It adds a bit of text to the installation instructions on how to install Bro 
> on FreeBSD 9.X. It also adds tests to cmake that check if C++11 header files 
> are usable; this prevents issues where a new compiler uses the includes of an 
> older one, which apparently can easily happen on old versions of FreeBSD.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1542) Please merge topic/johanna/freebsd9

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1542:
-

Assignee: Robin Sommer

> Please merge topic/johanna/freebsd9
> ---
>
> Key: BIT-1542
> URL: https://bro-tracker.atlassian.net/browse/BIT-1542
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merke topic/johanna/freebsd9 in bro and cmake.
> It adds a bit of text to the installation instructions on how to install Bro 
> on FreeBSD 9.X. It also adds tests to cmake that check if C++11 header files 
> are usable; this prevents issues where a new compiler uses the includes of an 
> older one, which apparently can easily happen on old versions of FreeBSD.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1543) Kafka Logger - Writes Bro Logs to Kafka

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1543?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1543:
-

Assignee: Seth Hall

> Kafka Logger - Writes Bro Logs to Kafka
> ---
>
> Key: BIT-1543
> URL: https://bro-tracker.atlassian.net/browse/BIT-1543
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Reporter: Nick Allen
>Assignee: Seth Hall
>
> As part of the Apache Metron project, we needed a way to send Bro logs to 
> Kafka. From my research it seems like this is a common request. I'd rather 
> give this code back to the Bro community than maintain it as part of Apache 
> Metron.
> This Bro plugin logs all Bro output to Kafka. Configuring this plugin is as 
> simple as adding the following Bro script.
> {{  
>   @load Bro/Kafka/logs-to-kafka.bro
>   redef Kafka::logs_to_send = set(Conn::LOG, HTTP::LOG, DNS::LOG);
>   redef Kafka::topic_name = "bro";
>   redef Kafka::kafka_conf = table(
>   ["metadata.broker.list"] = "localhost:9092"
>   );
> }}
> This plugin has the following features.
> * The user can specify a subset of all logs that should be sent to kafka. For 
> example, to only send conn, http, and dns logs, specify the following.
> {{redef Kafka::logs_to_send = set(Conn::LOG, HTTP::LOG, DNS::LOG);
> }}
> * Full configurability of Kafka connectivity. Any configuration setting 
> accepted by the librdkafka library can be passed to the plugin to tune how 
> the logs are sent to Kafka.
> {{redef Kafka::kafka_conf = table(
>["metadata.broker.list"] = "localhost:9092",
>["client.id"] = "bro"
> );
> }}
> * The plugin will wait a configurable period of time (for example, 3 seconds) 
> after shutdown to attempt to send any queued messages to Kafka.
> {{redef Kafka::max_wait_on_shutdown = 3000;
> }}
> * There are two message formats to choose from. By default, the standard Bro 
> JSON format is used. There is an alternative 'tagged JSON' format that is 
> provided by the plugin. Currently, all messages are sent to a single Bro 
> topic. This 'tagged JSON' format helps a Kafka consumer distinguish which log 
> stream the message originated from. This format prepends the log stream 
> identifier to the JSON message.
> {{{'conn': { ... }}
> {'http': { ... }}
> {'dns': { ... 
> To enable this alternative format, simply specify the following.
> {{redef Kafka::tag_json = T;}}



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1534) Please merge topic/johanna/stats_smb_leak

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1534:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Please merge topic/johanna/stats_smb_leak
> -
>
> Key: BIT-1534
> URL: https://bro-tracker.atlassian.net/browse/BIT-1534
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merge topic/johanna/stats_smb_leak
> It fixes a memory leak in stats.cc and smb.cc. A test that triggers the leak 
> in stats.cc is attached. 
> Due to not having access to test traffic I was not actually able to test the 
> smb.cc case, but I am very confident that this triggers a leak and that the 
> patch should fix it (TableVal->Assign needs an Unref for the index value 
> (first parameter; this is the same case as in stats.cc)).



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-06-005#71002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1536) elasticsearch tests using nc fail on some systems

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1536:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> elasticsearch tests using nc fail on some systems
> -
>
> Key: BIT-1536
> URL: https://bro-tracker.atlassian.net/browse/BIT-1536
> Project: Bro Issue Tracker
>  Issue Type: Task
>  Components: Bro
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>
> Some of the elasticsearch tests use the nc command, and these tests
> fail on some systems (such as debian 7 and 8) because there are at
> least two different incompatible implementations of nc.  A quick fix
> is to use a shell script wrapper that chooses the correct command-line
> arguments.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-06-005#71002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1534) Please merge topic/johanna/stats_smb_leak

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1534:
-

Assignee: Robin Sommer

> Please merge topic/johanna/stats_smb_leak
> -
>
> Key: BIT-1534
> URL: https://bro-tracker.atlassian.net/browse/BIT-1534
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merge topic/johanna/stats_smb_leak
> It fixes a memory leak in stats.cc and smb.cc. A test that triggers the leak 
> in stats.cc is attached. 
> Due to not having access to test traffic I was not actually able to test the 
> smb.cc case, but I am very confident that this triggers a leak and that the 
> patch should fix it (TableVal->Assign needs an Unref for the index value 
> (first parameter; this is the same case as in stats.cc)).



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-06-005#71002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1536) elasticsearch tests using nc fail on some systems

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1536:
-

Assignee: Robin Sommer

> elasticsearch tests using nc fail on some systems
> -
>
> Key: BIT-1536
> URL: https://bro-tracker.atlassian.net/browse/BIT-1536
> Project: Bro Issue Tracker
>  Issue Type: Task
>  Components: Bro
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>
> Some of the elasticsearch tests use the nc command, and these tests
> fail on some systems (such as debian 7 and 8) because there are at
> least two different incompatible implementations of nc.  A quick fix
> is to use a shell script wrapper that chooses the correct command-line
> arguments.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-06-005#71002)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1532) fix memory leak in find_all() and IRC analyzer

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1532?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1532:
--
Fix Version/s: 2.5

> fix memory leak in find_all() and IRC analyzer
> --
>
> Key: BIT-1532
> URL: https://bro-tracker.atlassian.net/browse/BIT-1532
> Project: Bro Issue Tracker
>  Issue Type: Patch
>  Components: Bro
>Reporter: Dirk Leinenbach 
> Fix For: 2.5
>
> Attachments: 0001-fix-memory-leaks-in-find_all-and-IRC-analyzer.patch
>
>
> fix memory leaks in find_all() and IRC analyzer
> Running bro with perftools enabled (cf. [1]), I get leak reports, as 
> soon as my call to find_all() returns a non-empty list.
> When changing find_all() in the following way (inspired by code in 
> IRC.cc), the leak is not reported anymore and my scripts still work as 
> expected:
> old:
> function find_all%(str: string, re: pattern%) : string_set
>  %{
>  TableVal* a = new TableVal(string_set);
>  const u_char* s = str->Bytes();
>  const u_char* e = s + str->Len();
>  for ( const u_char* t = s; t < e; ++t )
>  {
>  int n = re->MatchPrefix(t, e - t);
>  if ( n >= 0 )
>  {
>  a->Assign(new StringVal(n, (const char*) t), 0);
>  t += n - 1;
>  }
>  }
>  return a;
>  %}
> new:
> function find_all%(str: string, re: pattern%) : string_set
>  %{
>  TableVal* a = new TableVal(string_set);
>  const u_char* s = str->Bytes();
>  const u_char* e = s + str->Len();
>  for ( const u_char* t = s; t < e; ++t )
>  {
>  int n = re->MatchPrefix(t, e - t);
>  if ( n >= 0 )
>  {
>  Val* ma = new StringVal(n, (const char*) t);
>  a->Assign(ma, 0);
>  Unref(ma);
>  t += n - 1;
>  }
>  }
>  return a;
>  %}



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-05-006#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1531) Use of mktemp command should be more portable

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1531?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1531:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

Merged. As this is a portability problem, not a security issue, the fix seems 
fine.

> Use of mktemp command should be more portable
> -
>
> Key: BIT-1531
> URL: https://bro-tracker.atlassian.net/browse/BIT-1531
> Project: Bro Issue Tracker
>  Issue Type: Task
>  Components: Bro, BTest
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> The use of the mktemp command breaks on some platforms, because
> we only use three Xs in our templates, but some platforms require at
> least six Xs.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-05-006#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1531) Use of mktemp command should be more portable

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1531?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1531:
-

Assignee: Robin Sommer

> Use of mktemp command should be more portable
> -
>
> Key: BIT-1531
> URL: https://bro-tracker.atlassian.net/browse/BIT-1531
> Project: Bro Issue Tracker
>  Issue Type: Task
>  Components: Bro, BTest
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> The use of the mktemp command breaks on some platforms, because
> we only use three Xs in our templates, but some platforms require at
> least six Xs.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-05-006#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1530) protocol_confirmation event cannot be hooked by plugin

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1530?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=24008#comment-24008
 ] 

Robin Sommer commented on BIT-1530:
---

Yeah, I think I agree this should be changed. The original motivation was to 
trigger that event as quickly as possible, but not sure it's really worth going 
a non-standard route for that; in particular now that we have plugins hooking 
into the standard route.

I'm not sure but there may indeed be a couple more places avoiding the normal 
event queueing in the same way, might be worth checking them as well.

> protocol_confirmation event cannot be hooked by plugin
> --
>
> Key: BIT-1530
> URL: https://bro-tracker.atlassian.net/browse/BIT-1530
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Jeff Barber
>
> The way the 'protocol_confirmation' event is raised bypasses the plugin 
> event-hook mechanism. Plugin event hooks are triggered via 
> EventMgr.QueueEvent which is in the usual event generation interface. 
> However, protocol_confirmation is generated via this code in 
> src/analyzer/Analyzer.cc:
> {{
> // We immediately raise the event so that the analyzer can quickly
> // react if necessary.
> ::Event* e = new ::Event(protocol_confirmation, vl, SOURCE_LOCAL);
> mgr.Dispatch(e);
> }}
> The EventMgr.Dispatch method doesn't invoke the hook so at present it's not 
> possible for a plugin to hook this event. It would be nice if this were 
> orthogonal with other events.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-05-006#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1527) Please merge topic/johanna/cve-2015-3194

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1527?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1527:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Please merge topic/johanna/cve-2015-3194
> 
>
> Key: BIT-1527
> URL: https://bro-tracker.atlassian.net/browse/BIT-1527
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
> Fix For: 2.5
>
>
> Please merge topic/johanna/cve-2015-3194. The branch contains a test that 
> checks if a machine is vulnerable to cve-2015-3194 and - if yes - raises a 
> test error.
> Note that we should assure that all our jenkins machines have a current 
> OpenSSL before merging this to master.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-05-006#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1524) Fixing compiler warnings

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1524?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1524:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Fixing compiler warnings
> 
>
> Key: BIT-1524
> URL: https://bro-tracker.atlassian.net/browse/BIT-1524
> Project: Bro Issue Tracker
>  Issue Type: Task
>  Components: Bro
>Reporter: Seth Hall
>Assignee: Robin Sommer
>
> The topic/seth/compiler-cleanup branch in the Bro repository and the Binpac 
> repository fix a set of compiler warnings currently showing up in Bro.  Some 
> of them were introduced by moving to C++11.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-05-006#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1524) Fixing compiler warnings

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1524?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1524:
-

Assignee: Robin Sommer

> Fixing compiler warnings
> 
>
> Key: BIT-1524
> URL: https://bro-tracker.atlassian.net/browse/BIT-1524
> Project: Bro Issue Tracker
>  Issue Type: Task
>  Components: Bro
>Reporter: Seth Hall
>Assignee: Robin Sommer
>
> The topic/seth/compiler-cleanup branch in the Bro repository and the Binpac 
> repository fix a set of compiler warnings currently showing up in Bro.  Some 
> of them were introduced by moving to C++11.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-05-006#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1514) Test plugins.pktsrc fails

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1514?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=23829#comment-23829
 ] 

Robin Sommer commented on BIT-1514:
---

Forgot to comment on this earlier: I had tried to reproduce it here, but no 
luck. valgrind also didn't flag anything. I also double-checked the code and 
didn't spot anything obvious. 

> Test plugins.pktsrc fails
> -
>
> Key: BIT-1514
> URL: https://bro-tracker.atlassian.net/browse/BIT-1514
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
> Environment: Fedora 23
>Reporter: Jan Grashoefer
>Assignee: Robin Sommer
>
> The plugins.pktsrc test fails for me. Bro crashes with:
> {code}
> *** Error in `bro': corrupted double-linked list: 0x03ac10a0 ***
> === Backtrace: =
> /lib64/libc.so.6(+0x77e15)[0x7f5c5e23ae15]
> /lib64/libc.so.6(+0x7eed8)[0x7f5c5e241ed8]
> /lib64/libc.so.6(+0x807a8)[0x7f5c5e2437a8]
> /lib64/libc.so.6(cfree+0x4c)[0x7f5c5e246cac]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x32)[0x5d3322]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c]
> bro(_ZN8BrofilerD1Ev+0x22)[0x5d2162]
> /lib64/libc.so.6(+0x39658)[0x7f5c5e1fc658]
> /lib64/libc.so.6(+0x396a5)[0x7f5c5e1fc6a5]
> /lib64/libc.so.6(__libc_start_main+0xf7)[0x7f5c5e1e3587]
> bro(_start+0x29)[0x5ac359]
> === Memory map: 
> 0040-00a35000 r-xp  fd:01 5378219
> /home/jgras/devel/bro/build/src/bro
> 00c34000-00c36000 r--p 00634000 fd:01 5378219
> /home/jgras/devel/bro/build/src/bro
> 00c36000-00c3a000 rw-p 00636000 fd:01 5378219
> /home/jgras/devel/bro/build/src/bro
> 00c3a000-00c4e000 rw-p  00:00 0 
> 01c02000-03cb7000 rw-p  00:00 0  
> [heap]
> 7f5c5000-7f5c50021000 rw-p  00:00 0 
> 7f5c50021000-7f5c5400 ---p  00:00 0 
> 7f5c577ff000-7f5c5780 ---p  00:00 0 
> 7f5c5780-7f5c5800 rw-p  00:00 0 
> 7f5c5800-7f5c58021000 rw-p  00:00 0 
> 7f5c58021000-7f5c5c00 ---p  00:00 0 
> 7f5c5c39c000-7f5c5c39d000 ---p  00:00 0 
> 7f5c5c39d000-7f5c5cb9d000 rw-p  00:00 0 
> 7f5c5cb9d000-7f5c5cba r-xp  fd:01 5636209
> /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so
> 7f5c5cba-7f5c5cda ---p 3000 fd:01 5636209
> /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so
> 7f5c5cda-7f5c5cda1000 r--p 3000 fd:01 5636209
> /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so
> 7f5c5cda1000-7f5c5cda2000 rw-p 4000 fd:01 5636209
> /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so
> 7f5c5cda2000-7f5c5cdad000 r-xp  fd:00 135163 
> /usr/lib64/libnss_files-2.22.so
> 7f5c5cdad000-7f5c5cfac000 ---p b000 fd:00 135163 
> /usr/lib64/libnss_files-2.22.so
> 7f5c5cfac000-7f5c5cfad000 r--p a000 fd:00 135163 
> /usr/lib64/libnss_files-2.22.so
> 7f5c5cfad000-7f5c5cfae000 rw-p b000 fd:00 135163 
> /usr/lib64/libnss_files-2.22.so
> 7f5c5cfae000-7f5c5cfb4000 rw-p  00:00 0 
> 7f5c5cfb4000-7f5c5d023000 r-xp  fd:00 139841 
> /usr/lib64/libpcre.so.1.2.6
> 7f5c5d023000-7f5c5d222000 ---p 0006f000 fd:00 139841 
> /usr/lib64/libpcre.so.1.2.6
> 7f5c5d222000-7f5c5d223000 r--p 0006e000 fd:00 139841 
> /usr/lib64/libpcre.so.1.2.6
> 7f5c5d223000-7f5c5d224000 rw-p 0006f000 fd:00 139841 
> /usr/lib64/libpcre.so.1.2.6
> 

[Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=23830#comment-23830
 ] 

Robin Sommer commented on BIT-1413:
---

yeah would prefer to keep, make it easier to navigate.

Would it work with github to do a bullet list with relative links instead of 
the toctree?

(However, I'm not sure if then Sphinx would complain about the sub-directory 
README not being included anywhere.) 

> README files misidentified by GitHub
> 
>
> Key: BIT-1413
> URL: https://bro-tracker.atlassian.net/browse/BIT-1413
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Documentation
>Reporter: Vlad Grigorescu
>Assignee: Johanna Amann
>Priority: Low
> Fix For: 2.5
>
>
> If a README file doesn't have an extension, GitHub will parse it as Markdown. 
> Because our README files are ReST, this results in some ugly (and not very 
> useful) READMEs when visiting the repository on GitHub.
> For example, see: https://github.com/bro/btest#readme
> There are two options we could take to fix this: rename README to README.rst, 
> or create a symlink. I tried out the symlink option here, and I think the 
> result is much more useful: https://github.com/grigorescu/btest#readme
> The affected repos are:
> binpac
> bro
> bro-aux
> bro-plugins
> bro-scripts
> broccoli
> broccoli-perl
> broccoli-python
> broccoli-ruby
> broctl (broctl's README just instructs users to see doc/broctl.rst. This 
> could just be a symlink)
> broker
> bromagic (this can probably be deleted?)
> btest
> capstats
> time-machine
> trace-summary



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-04-012#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1519) bro segfaults when trying to delete a record field that doesn't exist

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1519:
-

Assignee: Robin Sommer

> bro segfaults when trying to delete a record field that doesn't exist
> -
>
> Key: BIT-1519
> URL: https://bro-tracker.atlassian.net/browse/BIT-1519
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
> Attachments: test.bro
>
>
> When using the "delete" statement on a record field that doesn't exist,
> Bro will (correctly) report an error message, but then it segfaults.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-04-012#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1519) bro segfaults when trying to delete a record field that doesn't exist

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1519:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> bro segfaults when trying to delete a record field that doesn't exist
> -
>
> Key: BIT-1519
> URL: https://bro-tracker.atlassian.net/browse/BIT-1519
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
> Attachments: test.bro
>
>
> When using the "delete" statement on a record field that doesn't exist,
> Bro will (correctly) report an error message, but then it segfaults.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-04-012#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1513) Please merge topic/johanna/irc-starttls

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1513:
-

Assignee: Robin Sommer

> Please merge topic/johanna/irc-starttls
> ---
>
> Key: BIT-1513
> URL: https://bro-tracker.atlassian.net/browse/BIT-1513
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
>
> Please merge topic/johanna/irc-starttls. This adds StartTLS support to the 
> IRC protocol analyzer.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-030#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=23401#comment-23401
 ] 

Robin Sommer commented on BIT-1363:
---

This has already been removed for a while, closing.

> Clustered AF_PACKET support
> ---
>
> Key: BIT-1363
> URL: https://bro-tracker.atlassian.net/browse/BIT-1363
> Project: Bro Issue Tracker
>  Issue Type: New Feature
>  Components: Bro
>Affects Versions: git/master
>Reporter: Michal Purzynski
>Assignee: Robin Sommer
> Attachments: pcap.c
>
>
> Let's have a support for packet capture with the AF_PACKET sockets in multi 
> worker configuration.
> Bro can use a single worker with af_packet, I have tested and it works, but 
> having a direct support for multi-worker load balancing would allow to avoid 
> the pf_ring for many deployments with the traffic level where DNA / ZC / 
> Myricom / DAG is not required.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-030#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1363:
--
Resolution: Merged
Status: Closed  (was: Reopened)

> Clustered AF_PACKET support
> ---
>
> Key: BIT-1363
> URL: https://bro-tracker.atlassian.net/browse/BIT-1363
> Project: Bro Issue Tracker
>  Issue Type: New Feature
>  Components: Bro
>Affects Versions: git/master
>Reporter: Michal Purzynski
>Assignee: Robin Sommer
> Attachments: pcap.c
>
>
> Let's have a support for packet capture with the AF_PACKET sockets in multi 
> worker configuration.
> Bro can use a single worker with af_packet, I have tested and it works, but 
> having a direct support for multi-worker load balancing would allow to avoid 
> the pf_ring for many deployments with the traffic level where DNA / ZC / 
> Myricom / DAG is not required.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-030#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1506:
-

Assignee: Robin Sommer

> Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal
> ---
>
> Key: BIT-1506
> URL: https://bro-tracker.atlassian.net/browse/BIT-1506
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Vlad Grigorescu
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X
> 10.11), and now Bro fails to build on OS X. Apple's recommendation is
> that we either include a copy of OpenSSL ourselves or we use their
> Secure Transport API.
> [1] - 



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-030#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1513) Please merge topic/johanna/irc-starttls

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=23400#comment-23400
 ] 

Robin Sommer commented on BIT-1513:
---

I'm surprised that IRC wasn't  using ContentLine already. I suppose it's not a 
problem to switch it over to using that for its normal analysis?

> Please merge topic/johanna/irc-starttls
> ---
>
> Key: BIT-1513
> URL: https://bro-tracker.atlassian.net/browse/BIT-1513
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
>
> Please merge topic/johanna/irc-starttls. This adds StartTLS support to the 
> IRC protocol analyzer.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-030#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1513) Please merge topic/johanna/irc-starttls

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1513:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Please merge topic/johanna/irc-starttls
> ---
>
> Key: BIT-1513
> URL: https://bro-tracker.atlassian.net/browse/BIT-1513
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
>
> Please merge topic/johanna/irc-starttls. This adds StartTLS support to the 
> IRC protocol analyzer.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-030#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1506:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal
> ---
>
> Key: BIT-1506
> URL: https://bro-tracker.atlassian.net/browse/BIT-1506
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Vlad Grigorescu
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X
> 10.11), and now Bro fails to build on OS X. Apple's recommendation is
> that we either include a copy of OpenSSL ourselves or we use their
> Secure Transport API.
> [1] - 



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-030#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1513) Please merge topic/johanna/irc-starttls

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=23403#comment-23403
 ] 

Robin Sommer commented on BIT-1513:
---

Ah, of course. Misread the diff, now it makes sense. :) Already merged it, will 
push in a bit.

> Please merge topic/johanna/irc-starttls
> ---
>
> Key: BIT-1513
> URL: https://bro-tracker.atlassian.net/browse/BIT-1513
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
>
> Please merge topic/johanna/irc-starttls. This adds StartTLS support to the 
> IRC protocol analyzer.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-030#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1514) Test plugins.pktsrc fails

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1514:
-

Assignee: Robin Sommer

> Test plugins.pktsrc fails
> -
>
> Key: BIT-1514
> URL: https://bro-tracker.atlassian.net/browse/BIT-1514
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
> Environment: Fedora 23
>Reporter: Jan Grashoefer
>Assignee: Robin Sommer
>
> The plugins.pktsrc test fails for me. Bro crashes with:
> {code}
> *** Error in `bro': corrupted double-linked list: 0x03ac10a0 ***
> === Backtrace: =
> /lib64/libc.so.6(+0x77e15)[0x7f5c5e23ae15]
> /lib64/libc.so.6(+0x7eed8)[0x7f5c5e241ed8]
> /lib64/libc.so.6(+0x807a8)[0x7f5c5e2437a8]
> /lib64/libc.so.6(cfree+0x4c)[0x7f5c5e246cac]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x32)[0x5d3322]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c]
> bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c]
> bro(_ZN8BrofilerD1Ev+0x22)[0x5d2162]
> /lib64/libc.so.6(+0x39658)[0x7f5c5e1fc658]
> /lib64/libc.so.6(+0x396a5)[0x7f5c5e1fc6a5]
> /lib64/libc.so.6(__libc_start_main+0xf7)[0x7f5c5e1e3587]
> bro(_start+0x29)[0x5ac359]
> === Memory map: 
> 0040-00a35000 r-xp  fd:01 5378219
> /home/jgras/devel/bro/build/src/bro
> 00c34000-00c36000 r--p 00634000 fd:01 5378219
> /home/jgras/devel/bro/build/src/bro
> 00c36000-00c3a000 rw-p 00636000 fd:01 5378219
> /home/jgras/devel/bro/build/src/bro
> 00c3a000-00c4e000 rw-p  00:00 0 
> 01c02000-03cb7000 rw-p  00:00 0  
> [heap]
> 7f5c5000-7f5c50021000 rw-p  00:00 0 
> 7f5c50021000-7f5c5400 ---p  00:00 0 
> 7f5c577ff000-7f5c5780 ---p  00:00 0 
> 7f5c5780-7f5c5800 rw-p  00:00 0 
> 7f5c5800-7f5c58021000 rw-p  00:00 0 
> 7f5c58021000-7f5c5c00 ---p  00:00 0 
> 7f5c5c39c000-7f5c5c39d000 ---p  00:00 0 
> 7f5c5c39d000-7f5c5cb9d000 rw-p  00:00 0 
> 7f5c5cb9d000-7f5c5cba r-xp  fd:01 5636209
> /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so
> 7f5c5cba-7f5c5cda ---p 3000 fd:01 5636209
> /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so
> 7f5c5cda-7f5c5cda1000 r--p 3000 fd:01 5636209
> /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so
> 7f5c5cda1000-7f5c5cda2000 rw-p 4000 fd:01 5636209
> /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so
> 7f5c5cda2000-7f5c5cdad000 r-xp  fd:00 135163 
> /usr/lib64/libnss_files-2.22.so
> 7f5c5cdad000-7f5c5cfac000 ---p b000 fd:00 135163 
> /usr/lib64/libnss_files-2.22.so
> 7f5c5cfac000-7f5c5cfad000 r--p a000 fd:00 135163 
> /usr/lib64/libnss_files-2.22.so
> 7f5c5cfad000-7f5c5cfae000 rw-p b000 fd:00 135163 
> /usr/lib64/libnss_files-2.22.so
> 7f5c5cfae000-7f5c5cfb4000 rw-p  00:00 0 
> 7f5c5cfb4000-7f5c5d023000 r-xp  fd:00 139841 
> /usr/lib64/libpcre.so.1.2.6
> 7f5c5d023000-7f5c5d222000 ---p 0006f000 fd:00 139841 
> /usr/lib64/libpcre.so.1.2.6
> 7f5c5d222000-7f5c5d223000 r--p 0006e000 fd:00 139841 
> /usr/lib64/libpcre.so.1.2.6
> 7f5c5d223000-7f5c5d224000 rw-p 0006f000 fd:00 139841 
> /usr/lib64/libpcre.so.1.2.6
> 7f5c5d224000-7f5c5d243000 r-xp  fd:00 140062 
> /usr/lib64/libselinux.so.1
> 7f5c5d243000-7f5c5d443000 ---p 0001f000 fd:00 140062 
> 

[Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=23104#comment-23104
 ] 

Robin Sommer commented on BIT-1506:
---

I this ready? I don't see the branch.

> Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal
> ---
>
> Key: BIT-1506
> URL: https://bro-tracker.atlassian.net/browse/BIT-1506
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Vlad Grigorescu
> Fix For: 2.5
>
>
> It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X
> 10.11), and now Bro fails to build on OS X. Apple's recommendation is
> that we either include a copy of OpenSSL ourselves or we use their
> Secure Transport API.
> [1] - 



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-025#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=23104#comment-23104
 ] 

Robin Sommer edited comment on BIT-1506 at 12/4/15 6:45 PM:


Is this ready? I don't see the branch.


was (Author: robin):
I this ready? I don't see the branch.

> Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal
> ---
>
> Key: BIT-1506
> URL: https://bro-tracker.atlassian.net/browse/BIT-1506
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Vlad Grigorescu
> Fix For: 2.5
>
>
> It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X
> 10.11), and now Bro fails to build on OS X. Apple's recommendation is
> that we either include a copy of OpenSSL ourselves or we use their
> Secure Transport API.
> [1] - 



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-025#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-939) HTTP parser refact & redesign required

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=23101#comment-23101
 ] 

Robin Sommer commented on BIT-939:
--

Yeah, this sounds right. I'll earmark it for 2.5 so that it stays on the radar.

> HTTP parser refact & redesign required
> --
>
> Key: BIT-939
> URL: https://bro-tracker.atlassian.net/browse/BIT-939
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: drmckay
> Fix For: 2.5
>
>
> Hi,
> In the HTTP parser implementation you following an old, obsoleted rfc from 
> 1999. There is a newer version: http://tools.ietf.org/html/rfc3986
> Please, review and refact your code (unescapeURI() redesign also needed, to 
> minimalize false positives).
> Thanks.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-025#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-939) HTTP parser refact & redesign required

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-939?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-939:
-
Status: Reopened  (was: Closed)
Resolution: (was: Incomplete)

> HTTP parser refact & redesign required
> --
>
> Key: BIT-939
> URL: https://bro-tracker.atlassian.net/browse/BIT-939
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: drmckay
> Fix For: 2.5
>
>
> Hi,
> In the HTTP parser implementation you following an old, obsoleted rfc from 
> 1999. There is a newer version: http://tools.ietf.org/html/rfc3986
> Please, review and refact your code (unescapeURI() redesign also needed, to 
> minimalize false positives).
> Thanks.



--
This message was sent by Atlassian JIRA
(v7.1.0-OD-02-025#71001)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1512) make package installs broken broccoli bindings

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1512?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22901#comment-22901
 ] 

Robin Sommer commented on BIT-1512:
---

Looks like the same as BIT-1509

> make package installs broken broccoli bindings
> --
>
> Key: BIT-1512
> URL: https://bro-tracker.atlassian.net/browse/BIT-1512
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: broccoli-python
>Affects Versions: 2.4
>Reporter: Justin Azoff
>Priority: Low
>  Labels: broccoli, broctl, build, packaging
>
> Installed via make install
> {code}
> [jazoff@bro-dev broctl]$ ldd _broccoli_intern.so |grep bro
> libbroccoli.so.5 => /usr/local/bro/lib/libbroccoli.so.5 
> (0x7fcc56b7b000)
> [jazoff@bro-dev broctl]$ readelf -d _broccoli_intern.so |grep -i rpath
>  0x000f (RPATH)  Library rpath: [/usr/local/bro/lib]
> [jazoff@bro-dev broctl]$
> {code}
> Installed via rpm via make package
> {code}
> [jazoff@bro-prod broctl]$ ldd _broccoli_intern.so |grep bro
> libbroccoli.so.5 => not found
> [jazoff@bro-prod broctl]$ readelf -d _broccoli_intern.so|grep -i rpath
> {code}



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1509) Library search problem with make-rpm-packages

[Robin Sommer (JIRA)]

Robin Sommer created BIT-1509:
-

 Summary: Library search problem with make-rpm-packages
 Key: BIT-1509
 URL: https://bro-tracker.atlassian.net/browse/BIT-1509
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Robin Sommer
 Fix For: 2.5


The "full Bro" RPM that make-rpm-packages builds, puts broccoli.so into 
/opt/bro/lib, but doesn't make sure that BroControl can actually find it there, 
letting the "import broccoli" fail. It sounds like this used to work in 2.3, 
but not anymore in 2.4.

I don't know if we want to support the RPM script going forward, given that 
we've switched to the SuSE build service. But as long as we keep shipping it, 
it would be nice if it "just worked".





--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1499:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Updates for newer version of OpenSSL/LibreSSL
> -
>
> Key: BIT-1499
> URL: https://bro-tracker.atlassian.net/browse/BIT-1499
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro, Broccoli
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Robin Sommer
> Fix For: 2.5
>
> Attachments: patch-aux_broccoli_src_bro__openssl.c, 
> patch-src_ChunkedIO.cc
>
>
> A comment from Christoph Pietsch:
> {quote}Currently bro fails to build when openssl libraries have been built
> without SSLv3  (configure --no-ssl2 --nossl3). This has
> surfaced when building with the latest LibreSSL 2.3.
> Attached patches address all these issues. These can be improved upon
> by using only SSLv23_ methods or even TLS_ methods and setting
> SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've
> tried to make the patches minimally intrusive. OpenSSL 1.1.0 will
> deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote}
> The patches are attached.  Fortunately all of this code is slated to be 
> removed but it does introduce the question how we manage this moving forward. 
>  I'd like to avoid having to add compiler directives to use alternate 
> implementations and detect which version of OpenSSL someone has installed. 
> Alternately, what does everyone think about deprecating the existing 
> communication mechanism by making it a configure-time option?  We can just 
> not compile those by default which means that almost everyone would just see 
> everything work correctly and our effort would be minimal.  People that need 
> the existing built in communication still can deal with the complications of 
> compiling Bro with the option and having the correct version of OpenSSL.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1499:
-

Assignee: Robin Sommer

> Updates for newer version of OpenSSL/LibreSSL
> -
>
> Key: BIT-1499
> URL: https://bro-tracker.atlassian.net/browse/BIT-1499
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro, Broccoli
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Robin Sommer
> Fix For: 2.5
>
> Attachments: patch-aux_broccoli_src_bro__openssl.c, 
> patch-src_ChunkedIO.cc
>
>
> A comment from Christoph Pietsch:
> {quote}Currently bro fails to build when openssl libraries have been built
> without SSLv3  (configure --no-ssl2 --nossl3). This has
> surfaced when building with the latest LibreSSL 2.3.
> Attached patches address all these issues. These can be improved upon
> by using only SSLv23_ methods or even TLS_ methods and setting
> SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've
> tried to make the patches minimally intrusive. OpenSSL 1.1.0 will
> deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote}
> The patches are attached.  Fortunately all of this code is slated to be 
> removed but it does introduce the question how we manage this moving forward. 
>  I'd like to avoid having to add compiler directives to use alternate 
> implementations and detect which version of OpenSSL someone has installed. 
> Alternately, what does everyone think about deprecating the existing 
> communication mechanism by making it a configure-time option?  We can just 
> not compile those by default which means that almost everyone would just see 
> everything work correctly and our effort would be minimal.  People that need 
> the existing built in communication still can deal with the complications of 
> compiling Bro with the option and having the correct version of OpenSSL.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1503) vlan-logging.bro assumes c$conn exists

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1503:
-

Assignee: Robin Sommer

> vlan-logging.bro assumes c$conn exists
> --
>
> Key: BIT-1503
> URL: https://bro-tracker.atlassian.net/browse/BIT-1503
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
> Environment: git/master, CentOS 7, vlan tagged pcap.
>Reporter: dop
>Assignee: Robin Sommer
>  Labels: vlan
> Fix For: 2.5
>
>
> policy/protocols/conn/vlan-logging.bro
> When testing against random pcaps you'll get tons of errors like:
> 1446562801.530502 expression error in 
> /usr/local/bro/share/bro/policy/protocols/conn/vlan-logging.bro, line 21: 
> field value missing [Conn::c$conn]
> Adding a c?$conn condition removes that annoyance.
> -Dop



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1505) topic/jsiwek/sse2-config-check

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1505:
-

Assignee: Robin Sommer

> topic/jsiwek/sse2-config-check
> --
>
> Key: BIT-1505
> URL: https://bro-tracker.atlassian.net/browse/BIT-1505
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Broker
>Reporter: Jon Siwek
>Assignee: Robin Sommer
>
> A couple places in Broker used SSE2 intrinsics without actually checking if 
> the platform supports it, this branch adds a config-time check to preprocess 
> them out.
> And unrelated, also fixed a unit test failure I never noticed before (maybe 
> I'm the first one to test on OS X 10.11).



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1499:
-

Assignee: Robin Sommer

> Updates for newer version of OpenSSL/LibreSSL
> -
>
> Key: BIT-1499
> URL: https://bro-tracker.atlassian.net/browse/BIT-1499
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro, Broccoli
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Robin Sommer
> Fix For: 2.5
>
> Attachments: patch-aux_broccoli_src_bro__openssl.c, 
> patch-src_ChunkedIO.cc
>
>
> A comment from Christoph Pietsch:
> {quote}Currently bro fails to build when openssl libraries have been built
> without SSLv3  (configure --no-ssl2 --nossl3). This has
> surfaced when building with the latest LibreSSL 2.3.
> Attached patches address all these issues. These can be improved upon
> by using only SSLv23_ methods or even TLS_ methods and setting
> SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've
> tried to make the patches minimally intrusive. OpenSSL 1.1.0 will
> deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote}
> The patches are attached.  Fortunately all of this code is slated to be 
> removed but it does introduce the question how we manage this moving forward. 
>  I'd like to avoid having to add compiler directives to use alternate 
> implementations and detect which version of OpenSSL someone has installed. 
> Alternately, what does everyone think about deprecating the existing 
> communication mechanism by making it a configure-time option?  We can just 
> not compile those by default which means that almost everyone would just see 
> everything work correctly and our effort would be minimal.  People that need 
> the existing built in communication still can deal with the complications of 
> compiling Bro with the option and having the correct version of OpenSSL.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1499:
--
  Status: Merge Request  (was: Open)
Assignee: (was: Robin Sommer)

> Updates for newer version of OpenSSL/LibreSSL
> -
>
> Key: BIT-1499
> URL: https://bro-tracker.atlassian.net/browse/BIT-1499
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro, Broccoli
>Affects Versions: git/master
>Reporter: Seth Hall
> Fix For: 2.5
>
> Attachments: patch-aux_broccoli_src_bro__openssl.c, 
> patch-src_ChunkedIO.cc
>
>
> A comment from Christoph Pietsch:
> {quote}Currently bro fails to build when openssl libraries have been built
> without SSLv3  (configure --no-ssl2 --nossl3). This has
> surfaced when building with the latest LibreSSL 2.3.
> Attached patches address all these issues. These can be improved upon
> by using only SSLv23_ methods or even TLS_ methods and setting
> SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've
> tried to make the patches minimally intrusive. OpenSSL 1.1.0 will
> deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote}
> The patches are attached.  Fortunately all of this code is slated to be 
> removed but it does introduce the question how we manage this moving forward. 
>  I'd like to avoid having to add compiler directives to use alternate 
> implementations and detect which version of OpenSSL someone has installed. 
> Alternately, what does everyone think about deprecating the existing 
> communication mechanism by making it a configure-time option?  We can just 
> not compile those by default which means that almost everyone would just see 
> everything work correctly and our effort would be minimal.  People that need 
> the existing built in communication still can deal with the complications of 
> compiling Bro with the option and having the correct version of OpenSSL.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-005#70107)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1498) add '-q' to ssh execution in ssh_runner.py

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1498:
-

Assignee: Daniel Thayer

> add '-q' to ssh execution in ssh_runner.py
> --
>
> Key: BIT-1498
> URL: https://bro-tracker.atlassian.net/browse/BIT-1498
> Project: Bro Issue Tracker
>  Issue Type: Patch
>  Components: BroControl
>Affects Versions: 2.4
>Reporter: scampbell
>Assignee: Daniel Thayer
>  Labels: broctl
>
> When using broctl in an environment with login banners, they will be 
> displayed in the broctl command.  In the event that they can not be 
> configured away on the sshd end using '-q' avoids displaying the banner on 
> the client side.
> The patch is trivial:
> --- a/BroControl/ssh_runner.py
> +++ b/BroControl/ssh_runner.py
> @@ -108,6 +108,7 @@ class SSHMaster:
>  self.base_cmd = [
>  "ssh",
>  "-o", "BatchMode=yes",
> +"-q",
>  host,
>  ]
>  self.need_connect = True



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-672) Bring POP3 back into the distribution

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22701#comment-22701
 ] 

Robin Sommer commented on BIT-672:
--

I'd like to bring back the support for POP3, however  the main concerns was not 
the lack of scripts (that shouldn't be too difficult) but the quality of the 
C++ code. The code would need either a careful review or, better, a rewrite in 
binpac. 

> Bring POP3 back into the distribution
> -
>
> Key: BIT-672
> URL: https://bro-tracker.atlassian.net/browse/BIT-672
> Project: Bro Issue Tracker
>  Issue Type: Task
>  Components: Bro
>Affects Versions: git/master
>Reporter: Matthias Vallentin
>Assignee: Seth Hall
> Fix For: 2.5
>
>
> The current master has no longer support for POP3. It lingers around but we 
> need to bring it back into the distribution.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1496) Extend TLS dpd signature

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1496:
-

Assignee: Robin Sommer

> Extend TLS dpd signature
> 
>
> Key: BIT-1496
> URL: https://bro-tracker.atlassian.net/browse/BIT-1496
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2,5
>
>
> Please merge topic/johanna/tls_early_alert, which extends the TLS dpd 
> signature to allow cases where the server sends a TLS alert before the Server 
> hello.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1495) Fix join_string_vec for vectors with empty elements.

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1495:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Fix join_string_vec for vectors with empty elements.
> 
>
> Key: BIT-1495
> URL: https://bro-tracker.atlassian.net/browse/BIT-1495
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merge topic/johanna/string_vec_null. It fixes a crash when using 
> join_string_vec with vectors that can contain empty elements.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1495) Fix join_string_vec for vectors with empty elements.

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1495:
-

Assignee: Robin Sommer

> Fix join_string_vec for vectors with empty elements.
> 
>
> Key: BIT-1495
> URL: https://bro-tracker.atlassian.net/browse/BIT-1495
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2.5
>
>
> Please merge topic/johanna/string_vec_null. It fixes a crash when using 
> join_string_vec with vectors that can contain empty elements.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1496) Extend TLS dpd signature

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1496:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> Extend TLS dpd signature
> 
>
> Key: BIT-1496
> URL: https://bro-tracker.atlassian.net/browse/BIT-1496
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: git/master
>Reporter: Johanna Amann
>Assignee: Robin Sommer
> Fix For: 2,5
>
>
> Please merge topic/johanna/tls_early_alert, which extends the TLS dpd 
> signature to allow cases where the server sends a TLS alert before the Server 
> hello.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1497) pattern [:space:] shortcut not matching as expected

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1497?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1497:
--
Resolution: Invalid
Status: Closed  (was: Open)

> pattern [:space:] shortcut not matching as expected
> ---
>
> Key: BIT-1497
> URL: https://bro-tracker.atlassian.net/browse/BIT-1497
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
> Environment: Running tests using Bro 2.4.1 (precompiled from 
> http://download.opensuse.org/repositories/network:/bro/xUbuntu_14.10/) on 
> Ubuntu 14.10.
> Running using a simple "/opt/bro/bin/bro myscript.bro" syntax.
>Reporter: Lloyd Brown
>  Labels: pattern
> Attachments: patterns.space_shortcut.testcase.bro, 
> patterns.space_shortcut.testcase.bro.output
>
>
> I'm trying to do some RegEx-like pattern matching of a data stream using Bro, 
> and I'm finding that, at least some of the shortcuts, like '[:space:]' don't 
> seem to act as expected.
> In short, I expected that '[:space:]' and '[ \f\n\r\t\v]' would be 
> interchangeable, but that doesn't seem to be the case.  I have not tested any 
> other shortcuts like '[:alpha:]', '[:digit:]', etc.  Just '[:space:]' so far.
> I will attach an example script, as well as a file containing the output I'm 
> seeing.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1497) pattern [:space:] shortcut not matching as expected

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22646#comment-22646
 ] 

Robin Sommer commented on BIT-1497:
---

Ah, I see the problem: you need to write it like this: {noformat} /[[:space:]]/ 
{noformat} (i.e., double brackets). These work only inside a character class 
(which I believe is standard behavior).

> pattern [:space:] shortcut not matching as expected
> ---
>
> Key: BIT-1497
> URL: https://bro-tracker.atlassian.net/browse/BIT-1497
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
> Environment: Running tests using Bro 2.4.1 (precompiled from 
> http://download.opensuse.org/repositories/network:/bro/xUbuntu_14.10/) on 
> Ubuntu 14.10.
> Running using a simple "/opt/bro/bin/bro myscript.bro" syntax.
>Reporter: Lloyd Brown
>  Labels: pattern
> Attachments: patterns.space_shortcut.testcase.bro, 
> patterns.space_shortcut.testcase.bro.output
>
>
> I'm trying to do some RegEx-like pattern matching of a data stream using Bro, 
> and I'm finding that, at least some of the shortcuts, like '[:space:]' don't 
> seem to act as expected.
> In short, I expected that '[:space:]' and '[ \f\n\r\t\v]' would be 
> interchangeable, but that doesn't seem to be the case.  I have not tested any 
> other shortcuts like '[:alpha:]', '[:digit:]', etc.  Just '[:space:]' so far.
> I will attach an example script, as well as a file containing the output I'm 
> seeing.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1487:
-

Assignee: Robin Sommer

> protocols nested within HTTP CONNECT not properly detected when proxy adds 
> headers to 200 response
> --
>
> Key: BIT-1487
> URL: https://bro-tracker.atlassian.net/browse/BIT-1487
> Project: Bro Issue Tracker
>  Issue Type: Patch
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Eric Karasuda
>Assignee: Robin Sommer
> Fix For: 2.5
>
> Attachments: http-connect.patch, http-connect.pcap, 
> output-without-patch.tar.gz, output-with-patch.tar.gz
>
>
> Failure scenario:
> * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443
> * the server responds HTTP 200
> * the proxy adds a header to the server's response (e.g. "Proxy-agent: 
> Apache/2.4.16 (Unix)" in the attached pcap).
> * SSL handshake proceeds
> * Bro fails to identify the SSL handshake
> As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it 
> instantiates a child analyzer and passes the rest of the server's response to 
> the child. In particular, this means the "Proxy-agent" header is treated as 
> the first data transmitted in the SSL handshake. As a result, protocol 
> detection fails. 
> The attached patch remembers that the HTTP 200 was received and only 
> instantiates the child analyzer when the newline is reached at the end of the 
> HTTP message (e.g. after the "Proxy-agent" header).
> Running {{bro -C -r http-connect.pcap}} with the attached pcap should output 
> {{output-without-patch.tar.gz}} before applying the patch (note the absence 
> of ssl.log) and should output  {{output-with-patch.tar.gz}} after applying 
> the patch.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1467:
-

Assignee: Robin Sommer

> several tests are broken in scripts/policy/protocols/ssl
> 
>
> Key: BIT-1467
> URL: https://bro-tracker.atlassian.net/browse/BIT-1467
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>Priority: High
> Fix For: 2.5
>
>
> Due to recent bug fixes in the btest repo (see BIT-1455), it was
> discovered that several tests in the bro repo now fail due to problems
> with their canonifier.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1479) seek functionality in RAW reader does not go to end of file

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1479:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> seek functionality in RAW reader does not go to end of file
> ---
>
> Key: BIT-1479
> URL: https://bro-tracker.atlassian.net/browse/BIT-1479
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
> Environment: running bin/bro version 2.4-87-debug on linux
>Reporter: scampbell
>Assignee: Robin Sommer
>  Labels: input-framework
>
> When using the seek functionality for RAW input as described in 
> https://github.com/bro/bro/commit/cbba73ab12b3a9935162f008fe7d05ab61c5be6a
> The code on line 397-398 will push the suggested value of -1 to 0 which will 
> disable the SEEK_END.  
> The fix would be to make the test if offset < -1, or to remove it in its 
> entirety.
> many thanks!
> scott



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22417#comment-22417
 ] 

Robin Sommer commented on BIT-1363:
---

Ok, I'l remove. Looking forward to the plugin!

> Clustered AF_PACKET support
> ---
>
> Key: BIT-1363
> URL: https://bro-tracker.atlassian.net/browse/BIT-1363
> Project: Bro Issue Tracker
>  Issue Type: New Feature
>  Components: Bro
>Affects Versions: git/master
>Reporter: Michal Purzynski
>Assignee: Robin Sommer
> Attachments: pcap.c
>
>
> Let's have a support for packet capture with the AF_PACKET sockets in multi 
> worker configuration.
> Bro can use a single worker with af_packet, I have tested and it works, but 
> having a direct support for multi-worker load balancing would allow to avoid 
> the pf_ring for many deployments with the traffic level where DNA / ZC / 
> Myricom / DAG is not required.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1485) add configure option to prevent building broker python bindings

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1485:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> add configure option to prevent building broker python bindings
> ---
>
> Key: BIT-1485
> URL: https://bro-tracker.atlassian.net/browse/BIT-1485
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro, Broker
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>
> There should be a configure option to prevent building the broker python 
> bindings.
> Also, the summary output of configure should more clearly show whether or not
> pybroker will be built (for example, if you have an older version of swig, 
> it's not easy
> to see the warning message about not being able to build python bindings).



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1481) some test canonifiers don't always read from stdin

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1481:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> some test canonifiers don't always read from stdin
> --
>
> Key: BIT-1481
> URL: https://bro-tracker.atlassian.net/browse/BIT-1481
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>
> Some of the test canonifier scripts being used in the Bro test suite
> cannot reliably be combined with other canonifiers in a pipeline.
> For example, this works:
> TEST_DIFF_CANONIFIER="diff-remove-x509-names | diff-remove-timestamps"
> but switching the order of these canonifiers does not work:
> TEST_DIFF_CANONIFIER="diff-remove-timestamps | diff-remove-x509-names"



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1484) topic/dnthayer/doc-fixes

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1484:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> topic/dnthayer/doc-fixes
> 
>
> Key: BIT-1484
> URL: https://bro-tracker.atlassian.net/browse/BIT-1484
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>
> The branch "topic/dnthayer/doc-fixes" in the bro repo contains various
> doc fixes and improvements that I've collected over the past two months.
> These are mostly just small fixes or clarifications based on user questions on
> the mailing list.  The most significant changes are to the input framework
> and the GeoIP documentation.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1336:
-

Assignee: Robin Sommer

> ElasticSearch indices in UTC
> 
>
> Key: BIT-1336
> URL: https://bro-tracker.atlassian.net/browse/BIT-1336
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Vlad Grigorescu
>Assignee: Robin Sommer
>Priority: Trivial
> Fix For: 2.5
>
>
> For improved compatibility with Kibana and other ElasticSearch frontends, the 
> timestamps on the Bro indices should be changed to UTC.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1467) several tests are broken in scripts/policy/protocols/ssl

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22410#comment-22410
 ] 

Robin Sommer commented on BIT-1467:
---

They keep failing for me too. Is this still a canonifier problem, or are the 
tests themselves broken?

I'd like to get this fixed; not good if we have tests that we know to fail.

> several tests are broken in scripts/policy/protocols/ssl
> 
>
> Key: BIT-1467
> URL: https://bro-tracker.atlassian.net/browse/BIT-1467
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Reporter: Daniel Thayer
>Assignee: Johanna Amann
> Fix For: 2.5
>
>
> Due to recent bug fixes in the btest repo (see BIT-1455), it was
> discovered that several tests in the bro repo now fail due to problems
> with their canonifier.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1486) Bro crashes when trying to Start

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1486:
--
Priority: Normal  (was: Critical)

> Bro crashes when trying to Start
> 
>
> Key: BIT-1486
> URL: https://bro-tracker.atlassian.net/browse/BIT-1486
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
> Environment: It's on a Centos 6 OS version and we are in the process 
> of transitioning for an onboard NIC to a Myricom 10G fiber interface card.
>Reporter: Gabriel Dinkins
>  Labels: broctl
>
> Upon trying to start the Bro IDS software it continually crashes. Upon 
> checking the "diag" it states:  stderr.log
> fatal error: problem with interface p3p1 (p3p1: no IPv4 address assigned)



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1476) btest-diff can generate too much output when a test fails

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1476:
-

Assignee: Robin Sommer

> btest-diff can generate too much output when a test fails
> -
>
> Key: BIT-1476
> URL: https://bro-tracker.atlassian.net/browse/BIT-1476
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: BTest
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>
> When btest-diff fails for a test, it shows the file and then the diff of
> the file vs. the baseline.  For small output sizes, this can be very useful, 
> but it
> doesn't seem useful when one must scroll through hundreds (or thousands) of
> lines of output just to find where the diff begins.  There is a MAX_LINES 
> parameter
> in btest-diff to truncate the output of huge files, but it cannot be 
> customized and
> the default value is 5000, which seems really excessive.  There is also a
> TEST_DIFF_BRIEF option to prevent showing any file contents, but this is
> not desirable to use for tests with small baselines, and having to set it for 
> each
> test with a large baseline seems like too much of a maintenance burden.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1470:
-

Assignee: Robin Sommer

> Implemented Functions in Notice Framework
> -
>
> Key: BIT-1470
> URL: https://bro-tracker.atlassian.net/browse/BIT-1470
> Project: Bro Issue Tracker
>  Issue Type: Patch
>  Components: Bro
>Affects Versions: 2.3
>Reporter: Wendy Edwards
>Assignee: Robin Sommer
>Priority: Low
> Fix For: 2.5
>
> Attachments: main_mod.bro, notice_main.patch
>
>
> I modified the main.bro file in the notice framework (see 
> https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro)
>  to implement the functions "notice_tags" and "execute_with_notice."  The 
> patch (notice_main.patch) and the modified file (main_mod.bro) are both 
> attached.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1479) seek functionality in RAW reader does not go to end of file

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1479:
-

Assignee: Robin Sommer

> seek functionality in RAW reader does not go to end of file
> ---
>
> Key: BIT-1479
> URL: https://bro-tracker.atlassian.net/browse/BIT-1479
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
> Environment: running bin/bro version 2.4-87-debug on linux
>Reporter: scampbell
>Assignee: Robin Sommer
>  Labels: input-framework
>
> When using the seek functionality for RAW input as described in 
> https://github.com/bro/bro/commit/cbba73ab12b3a9935162f008fe7d05ab61c5be6a
> The code on line 397-398 will push the suggested value of -1 to 0 which will 
> disable the SEEK_END.  
> The fix would be to make the test if offset < -1, or to remove it in its 
> entirety.
> many thanks!
> scott



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1470:
--
Status: Open  (was: Merge Request)

> Implemented Functions in Notice Framework
> -
>
> Key: BIT-1470
> URL: https://bro-tracker.atlassian.net/browse/BIT-1470
> Project: Bro Issue Tracker
>  Issue Type: Patch
>  Components: Bro
>Affects Versions: 2.3
>Reporter: Wendy Edwards
>Assignee: Robin Sommer
>Priority: Low
> Fix For: 2.5
>
> Attachments: main_mod.bro, notice_main.patch
>
>
> I modified the main.bro file in the notice framework (see 
> https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro)
>  to implement the functions "notice_tags" and "execute_with_notice."  The 
> patch (notice_main.patch) and the modified file (main_mod.bro) are both 
> attached.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22408#comment-22408
 ] 

Robin Sommer commented on BIT-1470:
---

The code in in notice_tags() looks pretty fragile: I'd bet that we if ever 
changed the fields that an Info record had, we'd forget to adapt this function. 

Different idea: we could use record_fields() instead to get all the fields 
dynamically and then iterate through. For those that need special treatment to 
generate good defaults, we could still hardcode that; but for all others we'd 
just convert to string by default.

> Implemented Functions in Notice Framework
> -
>
> Key: BIT-1470
> URL: https://bro-tracker.atlassian.net/browse/BIT-1470
> Project: Bro Issue Tracker
>  Issue Type: Patch
>  Components: Bro
>Affects Versions: 2.3
>Reporter: Wendy Edwards
>Assignee: Robin Sommer
>Priority: Low
> Fix For: 2.5
>
> Attachments: main_mod.bro, notice_main.patch
>
>
> I modified the main.bro file in the notice framework (see 
> https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro)
>  to implement the functions "notice_tags" and "execute_with_notice."  The 
> patch (notice_main.patch) and the modified file (main_mod.bro) are both 
> attached.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22412#comment-22412
 ] 

Robin Sommer commented on BIT-1363:
---

Is the conclusion that the pcap-based fan-out code that got merged recently 
doesn't work and should be removed? That would then also affect 
https://github.com/bro/broctl/pull/1.

> Clustered AF_PACKET support
> ---
>
> Key: BIT-1363
> URL: https://bro-tracker.atlassian.net/browse/BIT-1363
> Project: Bro Issue Tracker
>  Issue Type: New Feature
>  Components: Bro
>Affects Versions: git/master
>Reporter: Michal Purzynski
> Attachments: pcap.c
>
>
> Let's have a support for packet capture with the AF_PACKET sockets in multi 
> worker configuration.
> Bro can use a single worker with af_packet, I have tested and it works, but 
> having a direct support for multi-worker load balancing would allow to avoid 
> the pf_ring for many deployments with the traffic level where DNA / ZC / 
> Myricom / DAG is not required.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework

[Robin Sommer (JIRA)]

[ 
https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22413#comment-22413
 ] 

Robin Sommer commented on BIT-1470:
---

Sure, thanks (I should have assigned it back to you)

> Implemented Functions in Notice Framework
> -
>
> Key: BIT-1470
> URL: https://bro-tracker.atlassian.net/browse/BIT-1470
> Project: Bro Issue Tracker
>  Issue Type: Patch
>  Components: Bro
>Affects Versions: 2.3
>Reporter: Wendy Edwards
>Assignee: Daniel Thayer
>Priority: Low
> Fix For: 2.5
>
> Attachments: main_mod.bro, notice_main.patch
>
>
> I modified the main.bro file in the notice framework (see 
> https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro)
>  to implement the functions "notice_tags" and "execute_with_notice."  The 
> patch (notice_main.patch) and the modified file (main_mod.bro) are both 
> attached.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1470:
-

Assignee: Wendy Edwards  (was: Daniel Thayer)

> Implemented Functions in Notice Framework
> -
>
> Key: BIT-1470
> URL: https://bro-tracker.atlassian.net/browse/BIT-1470
> Project: Bro Issue Tracker
>  Issue Type: Patch
>  Components: Bro
>Affects Versions: 2.3
>Reporter: Wendy Edwards
>Assignee: Wendy Edwards
>Priority: Low
> Fix For: 2.5
>
> Attachments: main_mod.bro, notice_main.patch
>
>
> I modified the main.bro file in the notice framework (see 
> https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro)
>  to implement the functions "notice_tags" and "execute_with_notice."  The 
> patch (notice_main.patch) and the modified file (main_mod.bro) are both 
> attached.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1476) btest-diff can generate too much output when a test fails

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1476:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> btest-diff can generate too much output when a test fails
> -
>
> Key: BIT-1476
> URL: https://bro-tracker.atlassian.net/browse/BIT-1476
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: BTest
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>
> When btest-diff fails for a test, it shows the file and then the diff of
> the file vs. the baseline.  For small output sizes, this can be very useful, 
> but it
> doesn't seem useful when one must scroll through hundreds (or thousands) of
> lines of output just to find where the diff begins.  There is a MAX_LINES 
> parameter
> in btest-diff to truncate the output of huge files, but it cannot be 
> customized and
> the default value is 5000, which seems really excessive.  There is also a
> TEST_DIFF_BRIEF option to prevent showing any file contents, but this is
> not desirable to use for tests with small baselines, and having to set it for 
> each
> test with a large baseline seems like too much of a maintenance burden.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1336:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> ElasticSearch indices in UTC
> 
>
> Key: BIT-1336
> URL: https://bro-tracker.atlassian.net/browse/BIT-1336
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Vlad Grigorescu
>Assignee: Robin Sommer
>Priority: Trivial
> Fix For: 2.5
>
>
> For improved compatibility with Kibana and other ElasticSearch frontends, the 
> timestamps on the Bro indices should be changed to UTC.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1484) topic/dnthayer/doc-fixes

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1484:
-

Assignee: Robin Sommer

> topic/dnthayer/doc-fixes
> 
>
> Key: BIT-1484
> URL: https://bro-tracker.atlassian.net/browse/BIT-1484
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>
> The branch "topic/dnthayer/doc-fixes" in the bro repo contains various
> doc fixes and improvements that I've collected over the past two months.
> These are mostly just small fixes or clarifications based on user questions on
> the mailing list.  The most significant changes are to the input framework
> and the GeoIP documentation.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1481) some test canonifiers don't always read from stdin

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1481:
-

Assignee: Robin Sommer

> some test canonifiers don't always read from stdin
> --
>
> Key: BIT-1481
> URL: https://bro-tracker.atlassian.net/browse/BIT-1481
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Reporter: Daniel Thayer
>Assignee: Robin Sommer
>
> Some of the test canonifier scripts being used in the Bro test suite
> cannot reliably be combined with other canonifiers in a pipeline.
> For example, this works:
> TEST_DIFF_CANONIFIER="diff-remove-x509-names | diff-remove-timestamps"
> but switching the order of these canonifiers does not work:
> TEST_DIFF_CANONIFIER="diff-remove-timestamps | diff-remove-x509-names"



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1470) Implemented Functions in Notice Framework

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1470:
--
Status: Merge Request  (was: Open)

> Implemented Functions in Notice Framework
> -
>
> Key: BIT-1470
> URL: https://bro-tracker.atlassian.net/browse/BIT-1470
> Project: Bro Issue Tracker
>  Issue Type: Patch
>  Components: Bro
>Affects Versions: 2.3
>Reporter: Wendy Edwards
> Attachments: main_mod.bro, notice_main.patch
>
>
> I modified the main.bro file in the notice framework (see 
> https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro)
>  to implement the functions "notice_tags" and "execute_with_notice."  The 
> patch (notice_main.patch) and the modified file (main_mod.bro) are both 
> attached.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-02-259#70102)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1425) BroString::Set() Attempts Allocation of Negative-Length Memory

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1425:
--
Resolution: Fixed
Status: Closed  (was: Open)

> BroString::Set() Attempts Allocation of Negative-Length Memory
> --
>
> Key: BIT-1425
> URL: https://bro-tracker.atlassian.net/browse/BIT-1425
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.3, 2.4
> Environment: Linux Mint 17.1 (Ubuntu 14.04) on bare metal and in a 
> VirtualBox VM.
> Mac OS X 10.10.3
>Reporter: Jonathan Ganz
>Assignee: Robin Sommer
>  Labels: analyzer
> Fix For: 2.5
>
> Attachments: backtrace.log, 
> lbl-internal.20041215-1142.port004.dump.anon, memory_trace.log, 
> negativeMemory.bro
>
>
> When the tcp_packet() event is used, Bro may attempt to allocate memory that 
> is negative in length (i.e. -6 bytes). Bro crashes with the following output:
> tcmalloc: large alloc 0 bytes == (nil) @  0x7f6abeaefc73 0x7f6abeb111c3 
> 0x765e81 0x765b24 0x872562 0xaddc2f 0xaded94 0xb7aeca 0x775180 0x84105b 
> 0x83f5c0 0x83f39d 0x7fb1bc 0xb3cde6 0x7fb3d9 0x750e98 0x7f6abdaf4ec5 0x72e553 
> (nil)
> out of memory in new.
> 1103139821.634774 fatal error: out of memory in new.
> The attached pcap file and bro script cause such a crash when run with the 
> following command:
> /usr/local/bro/bin/bro -r lbl-internal.20041215-1142.port004.dump.anon 
> /usr/local/bro/share/bro/site/negativeMemory.bro
> A core file is not being generated for me, despite following the directions 
> for reporting problems 
> (https://www.bro.org/support/reporting-problems.html#getting-more-information-after-acrash).
>  The file named memory_trace.log shows an alternatively formatted traceback 
> of the stack when the error occurs.



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-02-259#70102)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1463) heap overflow in PktSrc::Process

[Robin Sommer (JIRA)]

 [ 
https://bro-tracker.atlassian.net/browse/BIT-1463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1463:
--
Resolution: Merged  (was: Fixed)
Status: Closed  (was: Merge Request)

> heap overflow in PktSrc::Process
> 
>
> Key: BIT-1463
> URL: https://bro-tracker.atlassian.net/browse/BIT-1463
> Project: Bro Issue Tracker
>  Issue Type: Problem
>  Components: Bro
>Affects Versions: 2.4
>Reporter: Justin Azoff
> Attachments: pktsrc_bug.pcap
>
>
> {code}
> ==11569==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x6020001bcbfc at pc 0x00da1f1b bp 0x7fff726f3d90 sp 0x7fff726f3d88
> READ of size 1 at 0x6020001bcbfc thread T0
> #0 0xda1f1a in iosource::PktSrc::Process() 
> /scratch/bro-clean/src/iosource/PktSrc.cc:325:3
> #1 0x7ba7bf in net_run() /scratch/bro-clean/src/Net.cc:330:4
> #2 0x641d9c in main /scratch/bro-clean/src/main.cc:1199:3
> #3 0x7f2fd89beb44 in __libc_start_main 
> /tmp/buildd/glibc-2.19/csu/libc-start.c:287
> #4 0x5ee98c in _start (/scratch/bro-clean/build/src/bro+0x5ee98c)
> {code}



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-02-259#70102)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev