[Bro-Dev] [JIRA] (BIT-1122) topic/jsiwek/dns-improvements
[ https://bro-tracker.atlassian.net/browse/BIT-1122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1122: - Assignee: Seth Hall > topic/jsiwek/dns-improvements > - > > Key: BIT-1122 > URL: https://bro-tracker.atlassian.net/browse/BIT-1122 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Jon Siwek >Assignee: Seth Hall > Fix For: 2.3 > > > This branch is in bro, bro-testing, and bro-testing-private repos. > - Fixes incorrect parsing of DNS message format for messages with empty > question sections. > - Changes dns.log to only include standard queries (opcode == 1). > - Adds "dns_unknown_reply" event for RR types that Bro doesn't know how to > parse, which improves accuracy of request-reply pair matching performed by > the default DNS scripts. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements
[
https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15303#comment-15303
]
Robin Sommer commented on BIT-1119:
---
I'm going ahead merging this but I'm wondering about the new
{{detect_filtered_trace}} flag. It's pretty common (in the research world,
anyways :) to run Bro on a SYN/FIN/RST trace and I imagine having this by
default off can add a lot for warnings in that case. Can we add some other
heuristic to detect such a trace (i.e., guess whether
{{detect_filtered_trace}} should be on) ? A (very) coarse approach would simply
be a global variable recording if we've ever seen anything else than a TCP
control packet. Thoughts?
> topic/jsiwek/tcp-improvements
> -
>
> Key: BIT-1119
> URL: https://bro-tracker.atlassian.net/browse/BIT-1119
> Project: Bro Issue Tracker
> Issue Type: Improvement
> Components: Bro
>Affects Versions: git/master
>Reporter: Jon Siwek
> Fix For: 2.3
>
>
> This branch is in the bro, bro-testing, and bro-testing-private repos and has
> a few changes to improve reporting of TCP connection sizes and gaps (commit
> messages explain in more detail).
> The baseline changes in the external repos all seemed reasonable/explainable
> (or actually fix a problem). There's too much changed to go through
> case-by-case and actually check things, but I did do closer examinations of
> unique differences as I came across them (e.g. try to corroborate Bro results
> via wireshark). Then for those that seem to follow the same trend as
> something I already inspected, I wouldn't manually check.
--
This message was sent by Atlassian JIRA
(v6.2-OD-07-028#6211)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1122) topic/jsiwek/dns-improvements
[ https://bro-tracker.atlassian.net/browse/BIT-1122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1122: --- Issue Type: Improvement (was: Problem) > topic/jsiwek/dns-improvements > - > > Key: BIT-1122 > URL: https://bro-tracker.atlassian.net/browse/BIT-1122 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Jon Siwek > Fix For: 2.3 > > > This branch is in bro, bro-testing, and bro-testing-private repos. > - Fixes incorrect parsing of DNS message format for messages with empty > question sections. > - Changes dns.log to only include standard queries (opcode == 1). > - Adds "dns_unknown_reply" event for RR types that Bro doesn't know how to > parse, which improves accuracy of request-reply pair matching performed by > the default DNS scripts. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1122) topic/jsiwek/dns-improvements
Jon Siwek created BIT-1122: -- Summary: topic/jsiwek/dns-improvements Key: BIT-1122 URL: https://bro-tracker.atlassian.net/browse/BIT-1122 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Fix For: 2.3 This branch is in bro, bro-testing, and bro-testing-private repos. - Fixes incorrect parsing of DNS message format for messages with empty question sections. - Changes dns.log to only include standard queries (opcode == 1). - Adds "dns_unknown_reply" event for RR types that Bro doesn't know how to parse, which improves accuracy of request-reply pair matching performed by the default DNS scripts. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1122) topic/jsiwek/dns-improvements
[ https://bro-tracker.atlassian.net/browse/BIT-1122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1122: --- Status: Merge Request (was: Open) > topic/jsiwek/dns-improvements > - > > Key: BIT-1122 > URL: https://bro-tracker.atlassian.net/browse/BIT-1122 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Affects Versions: git/master >Reporter: Jon Siwek > Fix For: 2.3 > > > This branch is in bro, bro-testing, and bro-testing-private repos. > - Fixes incorrect parsing of DNS message format for messages with empty > question sections. > - Changes dns.log to only include standard queries (opcode == 1). > - Adds "dns_unknown_reply" event for RR types that Bro doesn't know how to > parse, which improves accuracy of request-reply pair matching performed by > the default DNS scripts. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1121) topic/dnthayer/test-improvements
Daniel Thayer created BIT-1121: -- Summary: topic/dnthayer/test-improvements Key: BIT-1121 URL: https://bro-tracker.atlassian.net/browse/BIT-1121 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Fix For: 2.3 Various improvements to the test build scripts to address some error scenarios and to provide convenience features (added a new makefile target "rerun" to more easily re-run failed tests, and scripts now recognize two new env. vars. to enable doing a non-standard build). Improved the test diff canonifiers to do more thorough checking, and to workaround an issue in btest-diff which was causing some failed tests to not be reported as failed. Added lots of new tests (there are now 50% more test cases) to fill in gaps in the test coverage. Also improved many existing tests. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1121) topic/dnthayer/test-improvements
[ https://bro-tracker.atlassian.net/browse/BIT-1121?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1121: --- Status: Merge Request (was: Open) > topic/dnthayer/test-improvements > > > Key: BIT-1121 > URL: https://bro-tracker.atlassian.net/browse/BIT-1121 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl >Reporter: Daniel Thayer > Fix For: 2.3 > > > Various improvements to the test build scripts to address some > error scenarios and to provide convenience features (added a > new makefile target "rerun" to more easily re-run failed tests, > and scripts now recognize two new env. vars. to enable doing a > non-standard build). Improved the test diff canonifiers > to do more thorough checking, and to workaround an issue in btest-diff > which was causing some failed tests to not be reported as failed. > Added lots of new tests (there are now 50% more test cases) to > fill in gaps in the test coverage. Also improved many existing > tests. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
