[Bro-Dev] [JIRA] (BIT-1089) Please install sample/example broctl .cfg files
[ https://bro-tracker.atlassian.net/browse/BIT-1089?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1089: --- Fix Version/s: 2.2 > Please install sample/example broctl .cfg files > --- > > Key: BIT-1089 > URL: https://bro-tracker.atlassian.net/browse/BIT-1089 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl >Reporter: leres >Priority: Low > Fix For: 2.2 > > -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1112) topic/dnthayer/misc-improvements
Daniel Thayer created BIT-1112: -- Summary: topic/dnthayer/misc-improvements Key: BIT-1112 URL: https://bro-tracker.atlassian.net/browse/BIT-1112 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Fix For: 2.3 The branch topic/dnthayer/misc-improvements contains some small fixes/improvements: improve broctl output formatting, fix "top" output on OS X Mavericks, fix minor issue with plugin init() return values. Also included are some changes from Justin Azoff: plugin code cleanup (remove redundant plugin initialization, and use getattr for lookup of plugin methods), and enable dead host caching in cron mode. -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1112) topic/dnthayer/misc-improvements
[ https://bro-tracker.atlassian.net/browse/BIT-1112?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1112: --- Status: Merge Request (was: Open) > topic/dnthayer/misc-improvements > > > Key: BIT-1112 > URL: https://bro-tracker.atlassian.net/browse/BIT-1112 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl >Reporter: Daniel Thayer > Fix For: 2.3 > > > The branch topic/dnthayer/misc-improvements contains some small > fixes/improvements: improve broctl output formatting, fix "top" output > on OS X Mavericks, fix minor issue with plugin init() return values. > Also included are some changes from Justin Azoff: plugin > code cleanup (remove redundant plugin initialization, and use > getattr for lookup of plugin methods), and enable dead host > caching in cron mode. -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1113) topic/jazoff/notice_file_info
[
https://bro-tracker.atlassian.net/browse/BIT-1113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15201#comment-15201
]
Justin Azoff commented on BIT-1113:
---
This branch contains a single change that adds the new file information to
notice emails. The resulting notices look like the following:
{code}
Message: Malware Hash Registry Detection rate: 11% Last seen: 2014-01-07
12:38:05
Sub-message:
https://www.virustotal.com/en/search/?query=c2937b7e2619af42c1cfa13e061c6a0f9133b2bb
File Description:
http://staticwajam-wajam.netdna-ssl.com/static/update/wajam_update.exe?v0.016
File Mime Type: application/x-dosexec
Connection: ...
Connection uid: ...
...
{code}
> topic/jazoff/notice_file_info
> -
>
> Key: BIT-1113
> URL: https://bro-tracker.atlassian.net/browse/BIT-1113
> Project: Bro Issue Tracker
> Issue Type: Patch
> Components: Bro
>Affects Versions: 2.2
>Reporter: Justin Azoff
>
--
This message was sent by Atlassian JIRA
(v6.2-OD-07-027#6211)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1114) topic/jazoff/ssl-validation-fix
[ https://bro-tracker.atlassian.net/browse/BIT-1114?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1114: -- Status: Merge Request (was: Open) > topic/jazoff/ssl-validation-fix > --- > > Key: BIT-1114 > URL: https://bro-tracker.atlassian.net/browse/BIT-1114 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: 2.2 >Reporter: Justin Azoff > -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1115) topic/jazoff/suppression
Justin Azoff created BIT-1115: - Summary: topic/jazoff/suppression Key: BIT-1115 URL: https://bro-tracker.atlassian.net/browse/BIT-1115 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 2.2 Reporter: Justin Azoff -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1113) topic/jazoff/notice_file_info
Justin Azoff created BIT-1113: - Summary: topic/jazoff/notice_file_info Key: BIT-1113 URL: https://bro-tracker.atlassian.net/browse/BIT-1113 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 2.2 Reporter: Justin Azoff -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1114) topic/jazoff/ssl-validation-fix
Justin Azoff created BIT-1114: - Summary: topic/jazoff/ssl-validation-fix Key: BIT-1114 URL: https://bro-tracker.atlassian.net/browse/BIT-1114 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 2.2 Reporter: Justin Azoff -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1115) topic/jazoff/suppression
[ https://bro-tracker.atlassian.net/browse/BIT-1115?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1115: -- Status: Merge Request (was: Open) > topic/jazoff/suppression > > > Key: BIT-1115 > URL: https://bro-tracker.atlassian.net/browse/BIT-1115 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: 2.2 >Reporter: Justin Azoff > -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1113) topic/jazoff/notice_file_info
[ https://bro-tracker.atlassian.net/browse/BIT-1113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1113: -- Status: Merge Request (was: Open) > topic/jazoff/notice_file_info > - > > Key: BIT-1113 > URL: https://bro-tracker.atlassian.net/browse/BIT-1113 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: 2.2 >Reporter: Justin Azoff > -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1114) topic/jazoff/ssl-validation-fix
[ https://bro-tracker.atlassian.net/browse/BIT-1114?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15202#comment-15202 ] Justin Azoff commented on BIT-1114: --- This branch contains a single commit that fixes the use of the recently_validated_certs table. It was being checked for the presence of a cached validation result, but on a cache miss, the validation result was not being added. > topic/jazoff/ssl-validation-fix > --- > > Key: BIT-1114 > URL: https://bro-tracker.atlassian.net/browse/BIT-1114 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: 2.2 >Reporter: Justin Azoff > -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1115) topic/jazoff/suppression
[ https://bro-tracker.atlassian.net/browse/BIT-1115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15203#comment-15203 ] Justin Azoff commented on BIT-1115: --- Instead of storing the entire notice in Notice::suppressing, just store the time the notice should be suppressed until. This has the same functionality, except that end_suppression can no longer be generated. This has the effect of greatly reducing the memory usage on a bro cluster that is raising a lot of suppressed notices. This can happen if suppression is enabled, but the suppression id is too specific and multiple notices are raised anyway. This problem is exacerbated on cluster nodes that are running 10 workers, since the suppression information is duplicated across all workers ( and then across all nodes ) For a stress test of a pcap that raises 38609 notices: | Without the patch | 147255296 maximum resident set size| | With the patch | 49586176 maximum resident set size| | Difference | 93 MB | On the real cluster, I was seeing memory usage growing at the rate of 2 megabytes/second or so. Even with 24G of ram the nodes were OOMing after a few hours. Bro workers would crash, eventually resync the data, and crash again. > topic/jazoff/suppression > > > Key: BIT-1115 > URL: https://bro-tracker.atlassian.net/browse/BIT-1115 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: 2.2 >Reporter: Justin Azoff > -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1116) topic/jsiwek/libmagic-integration
[ https://bro-tracker.atlassian.net/browse/BIT-1116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1116: --- Status: Merge Request (was: Open) > topic/jsiwek/libmagic-integration > - > > Key: BIT-1116 > URL: https://bro-tracker.atlassian.net/browse/BIT-1116 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Reporter: Jon Siwek > Fix For: 2.3 > > > This branch is in bro, 3rdparty, bromagic, bro-testing, and > bro-testing-private repos. It integrates libmagic 5.16 into Bro as a CMake > ExternalProject, which requires CMake >= 2.8.0, so that one does not have to > install libmagic to build bro. > Resolves BIT-, BIT-1096. -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1116) topic/jsiwek/libmagic-integration
Jon Siwek created BIT-1116: -- Summary: topic/jsiwek/libmagic-integration Key: BIT-1116 URL: https://bro-tracker.atlassian.net/browse/BIT-1116 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Reporter: Jon Siwek Fix For: 2.3 This branch is in bro, 3rdparty, bromagic, bro-testing, and bro-testing-private repos. It integrates libmagic 5.16 into Bro as a CMake ExternalProject, which requires CMake >= 2.8.0, so that one does not have to install libmagic to build bro. Resolves BIT-, BIT-1096. -- This message was sent by Atlassian JIRA (v6.2-OD-07-027#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
