[Bro-Dev] [JIRA] (BIT-1128) Add configure options for linking against jemalloc
[ https://bro-tracker.atlassian.net/browse/BIT-1128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1128: - Assignee: Jon Siwek > Add configure options for linking against jemalloc > -- > > Key: BIT-1128 > URL: https://bro-tracker.atlassian.net/browse/BIT-1128 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro >Affects Versions: git/master >Reporter: Robin Sommer >Assignee: Jon Siwek > Fix For: 2.3 > > > To gather experiences with using jemalloc, add a configure options > --with-jemalloc= that links Bro against it if found. Default should be > off. -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1134) DNS_Mgr::LookupAddr does not respect DNS_FAKE
[ https://bro-tracker.atlassian.net/browse/BIT-1134?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1134: - Assignee: Jon Siwek > DNS_Mgr::LookupAddr does not respect DNS_FAKE > - > > Key: BIT-1134 > URL: https://bro-tracker.atlassian.net/browse/BIT-1134 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Affects Versions: 2.2 >Reporter: Justin Azoff >Assignee: Jon Siwek >Priority: Low > Fix For: 2.3 > > Attachments: signature.asc > > -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1138) UDP scan detection generates a large number of triggers
[ https://bro-tracker.atlassian.net/browse/BIT-1138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1138: -- Resolution: Invalid Status: Closed (was: Open) Not in distribution yet. > UDP scan detection generates a large number of triggers > --- > > Key: BIT-1138 > URL: https://bro-tracker.atlassian.net/browse/BIT-1138 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Reporter: Robin Sommer > Fix For: 2.3 > > Attachments: CPU-all-scan-policies.png, Memory-All-Scan-Policies.png > > > These triggers then cause high CPU load. We had a fix already but I'm not > sure if it has been confirmed that it solved the problem? -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1137) Investigate sumstats / scan detector performance
[ https://bro-tracker.atlassian.net/browse/BIT-1137?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1137: - Assignee: Seth Hall (was: Gilbert Clark) > Investigate sumstats / scan detector performance > - > > Key: BIT-1137 > URL: https://bro-tracker.atlassian.net/browse/BIT-1137 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Reporter: Robin Sommer >Assignee: Seth Hall > Fix For: 2.3 > > > It's not clear if sumstats is causing more CPU and/or memory load than > expected. There's also some indication that it may perform less well in > standalone mode than cluster mode. Need to understand and potential improve. > A part of this is also understanding how the new scan detector performs in > terms of CPU/memory when compared against the 1.x version. -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1139) MHR lookups can cause significant CPU overhead in tests
[ https://bro-tracker.atlassian.net/browse/BIT-1139?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1139: - Assignee: Jon Siwek (was: Gilbert Clark) > MHR lookups can cause significant CPU overhead in tests > --- > > Key: BIT-1139 > URL: https://bro-tracker.atlassian.net/browse/BIT-1139 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Reporter: Robin Sommer >Assignee: Jon Siwek > Fix For: 2.3 > > > Live operation seems fine, need to understand what's going on. -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1143) Investigate replacing libmagic w/ signatures for file identificaiton
[ https://bro-tracker.atlassian.net/browse/BIT-1143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1143: -- Reporter: Jon Siwek (was: Seth Hall) > Investigate replacing libmagic w/ signatures for file identificaiton > > > Key: BIT-1143 > URL: https://bro-tracker.atlassian.net/browse/BIT-1143 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro >Affects Versions: git/master >Reporter: Jon Siwek >Assignee: Seth Hall > Fix For: 2.3 > > > I think it makes sense to try to make the switch from libmagic to using Bro's > own signature engine for file identification before the next release. Don't > want people getting used to magic file format for their own custom file > identification rules. -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1143) Investigate replacing libmagic w/ signatures for file identificaiton
[ https://bro-tracker.atlassian.net/browse/BIT-1143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1143: -- Reporter: Seth Hall (was: Jon Siwek) > Investigate replacing libmagic w/ signatures for file identificaiton > > > Key: BIT-1143 > URL: https://bro-tracker.atlassian.net/browse/BIT-1143 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall >Assignee: Seth Hall > Fix For: 2.3 > > > I think it makes sense to try to make the switch from libmagic to using Bro's > own signature engine for file identification before the next release. Don't > want people getting used to magic file format for their own custom file > identification rules. -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-348) Reassembler integer overflow issues. Data not delivered after 2GB
[
https://bro-tracker.atlassian.net/browse/BIT-348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robin Sommer reassigned BIT-348:
Assignee: Bernhard Amann
> Reassembler integer overflow issues. Data not delivered after 2GB
> -
>
> Key: BIT-348
> URL: https://bro-tracker.atlassian.net/browse/BIT-348
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
>Affects Versions: git/master
>Reporter: gregor
>Assignee: Bernhard Amann
>Priority: High
> Labels: inttypes
> Fix For: 2.3
>
>
> {noformat}
> #!rst
> The TCP Reassembler does not deliver any data to analyzers after the first
> 2GB due to signed integer overflow (Actually it will deliver again between
> 4--6GB, etc.) This happens silently, i.e., without content_gap events or
> Undelivered calls.
> This report superseded BIT-315, BIT-137
> The TCP Reassembler (and Reassem) base class use ``int`` to keep track of
> sequence numbers and ``seq_delta`` to check for differences. If a connection
> exceeds 2GB, the relative sequence numbers (int) used by the Reassembler
> become negative. While many parts of the Reassembler still work (because
> seq_delta still reports the correct difference) some parts do not. In
> particular ``seq_to_skip`` is broken (and fails silently). There might well
> be other parts of the Reassembler that fail
> silently as well, that I haven't found yet.
> See Comments in TCP_Reassembler.cc for more details.
> The Reassembler should use int64. However this will require deep changes to
> the Reassembler and the TCP Analyzer and TCP_Endpoint classes (since we also
> store sequence numbers there). Also, the analyzer framework will need tweaks
> as well (e.g., Undelivered uses ``int`` for sequence numbers, also has to go
> to 64 bit)
> As a hotfix that seems to work I disabled the ``seq_to_skip`` features. It
> wasn't used by any analyzer or policy script (Note, that seq_to_skip is
> different from skip_deliveries). Hotfix is in
> topic/gregor/reassembler-hotfix
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-348) Reassembler integer overflow issues. Data not delivered after 2GB
[
https://bro-tracker.atlassian.net/browse/BIT-348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robin Sommer updated BIT-348:
-
Fix Version/s: (was: 2.4)
2.3
> Reassembler integer overflow issues. Data not delivered after 2GB
> -
>
> Key: BIT-348
> URL: https://bro-tracker.atlassian.net/browse/BIT-348
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
>Affects Versions: git/master
>Reporter: gregor
>Assignee: Bernhard Amann
>Priority: High
> Labels: inttypes
> Fix For: 2.3
>
>
> {noformat}
> #!rst
> The TCP Reassembler does not deliver any data to analyzers after the first
> 2GB due to signed integer overflow (Actually it will deliver again between
> 4--6GB, etc.) This happens silently, i.e., without content_gap events or
> Undelivered calls.
> This report superseded BIT-315, BIT-137
> The TCP Reassembler (and Reassem) base class use ``int`` to keep track of
> sequence numbers and ``seq_delta`` to check for differences. If a connection
> exceeds 2GB, the relative sequence numbers (int) used by the Reassembler
> become negative. While many parts of the Reassembler still work (because
> seq_delta still reports the correct difference) some parts do not. In
> particular ``seq_to_skip`` is broken (and fails silently). There might well
> be other parts of the Reassembler that fail
> silently as well, that I haven't found yet.
> See Comments in TCP_Reassembler.cc for more details.
> The Reassembler should use int64. However this will require deep changes to
> the Reassembler and the TCP Analyzer and TCP_Endpoint classes (since we also
> store sequence numbers there). Also, the analyzer framework will need tweaks
> as well (e.g., Undelivered uses ``int`` for sequence numbers, also has to go
> to 64 bit)
> As a hotfix that seems to work I disabled the ``seq_to_skip`` features. It
> wasn't used by any analyzer or policy script (Note, that seq_to_skip is
> different from skip_deliveries). Hotfix is in
> topic/gregor/reassembler-hotfix
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1151) JSON output
Robin Sommer created BIT-1151: - Summary: JSON output Key: BIT-1151 URL: https://bro-tracker.atlassian.net/browse/BIT-1151 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Seth Hall Fix For: 2.3 -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1150) X509 updates
Robin Sommer created BIT-1150: - Summary: X509 updates Key: BIT-1150 URL: https://bro-tracker.atlassian.net/browse/BIT-1150 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Bernhard Amann Fix For: 2.3 -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1152) BroControl version check
Robin Sommer created BIT-1152: - Summary: BroControl version check Key: BIT-1152 URL: https://bro-tracker.atlassian.net/browse/BIT-1152 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Daniel Thayer Fix For: 2.3 Show warning if version has been upgraded. -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1149) Check Coverity PIA message
Robin Sommer created BIT-1149: - Summary: Check Coverity PIA message Key: BIT-1149 URL: https://bro-tracker.atlassian.net/browse/BIT-1149 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Robin Sommer Fix For: 2.3 -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-845) PF_RING+DNA
[ https://bro-tracker.atlassian.net/browse/BIT-845?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-845: -- Assignee: Seth Hall (was: Daniel Thayer) > PF_RING+DNA > --- > > Key: BIT-845 > URL: https://bro-tracker.atlassian.net/browse/BIT-845 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl >Affects Versions: git/master >Reporter: Daniel Thayer >Assignee: Seth Hall > Fix For: 2.3 > > Attachments: lb_pf_ring_dna.py > > > This is a feature that didn't make it into 2.1-beta. > The idea is to have a broctl plugin that has a pre-start > hook to automatically run this on each worker host: > pfdnacluster_master \-i dna0 \-c 21 \-n > A worker entry in node.cfg would look something like this: > [worker-1] > type=worker > host=host1 > interface=dna0 > lb_procs=4 > lb_method=pf_ring_dna -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-845) PF_RING+DNA
[ https://bro-tracker.atlassian.net/browse/BIT-845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15712#comment-15712 ] Daniel Thayer commented on BIT-845: --- Branch topic/dnthayer/ticket845 implements this functionality (but it does not manage the pfdnacluster_master process). > PF_RING+DNA > --- > > Key: BIT-845 > URL: https://bro-tracker.atlassian.net/browse/BIT-845 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl >Affects Versions: git/master >Reporter: Daniel Thayer >Assignee: Seth Hall > Fix For: 2.3 > > Attachments: lb_pf_ring_dna.py > > > This is a feature that didn't make it into 2.1-beta. > The idea is to have a broctl plugin that has a pre-start > hook to automatically run this on each worker host: > pfdnacluster_master \-i dna0 \-c 21 \-n > A worker entry in node.cfg would look something like this: > [worker-1] > type=worker > host=host1 > interface=dna0 > lb_procs=4 > lb_method=pf_ring_dna -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-845) PF_RING+DNA
[ https://bro-tracker.atlassian.net/browse/BIT-845?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-845: -- Fix Version/s: (was: 2.4) 2.3 > PF_RING+DNA > --- > > Key: BIT-845 > URL: https://bro-tracker.atlassian.net/browse/BIT-845 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl >Affects Versions: git/master >Reporter: Daniel Thayer >Assignee: Daniel Thayer > Fix For: 2.3 > > Attachments: lb_pf_ring_dna.py > > > This is a feature that didn't make it into 2.1-beta. > The idea is to have a broctl plugin that has a pre-start > hook to automatically run this on each worker host: > pfdnacluster_master \-i dna0 \-c 21 \-n > A worker entry in node.cfg would look something like this: > [worker-1] > type=worker > host=host1 > interface=dna0 > lb_procs=4 > lb_method=pf_ring_dna -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-845) PF_RING+DNA
[ https://bro-tracker.atlassian.net/browse/BIT-845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15711#comment-15711 ] Seth Hall commented on BIT-845: --- I committed a new branch a while ago that improves this. I'm planning on getting some documentation written and merged in for 2.3. > PF_RING+DNA > --- > > Key: BIT-845 > URL: https://bro-tracker.atlassian.net/browse/BIT-845 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl >Affects Versions: git/master >Reporter: Daniel Thayer >Assignee: Seth Hall > Fix For: 2.3 > > Attachments: lb_pf_ring_dna.py > > > This is a feature that didn't make it into 2.1-beta. > The idea is to have a broctl plugin that has a pre-start > hook to automatically run this on each worker host: > pfdnacluster_master \-i dna0 \-c 21 \-n > A worker entry in node.cfg would look something like this: > [worker-1] > type=worker > host=host1 > interface=dna0 > lb_procs=4 > lb_method=pf_ring_dna -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-78) Binpac DNS Analyzer does not use dns_skip_* settings
[ https://bro-tracker.atlassian.net/browse/BIT-78?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-78: - Resolution: Invalid Status: Closed (was: Open) The binpac dns analyzer is gone. > Binpac DNS Analyzer does not use dns_skip_* settings > > > Key: BIT-78 > URL: https://bro-tracker.atlassian.net/browse/BIT-78 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Affects Versions: 1.5.2 >Reporter: gregor >Priority: Low > Labels: analyzer, binpac, dns, dns_skip > > The binpac based DNS Analyzer ignores the dns_skip_* settings, that are > defined in bro.init -- This message was sent by Atlassian JIRA (v6.2-OD-10-004-WN#6253) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [Auto] Merge Status
Open Merge Requests === IDComponentReporterAssignee Updated For Version PrioritySummary --- -- -- - -- -- BIT-1147 [1] Bro Seth Hall Robin Sommer 2014-03-06 - Normal topic/seth/dns-srv-fix - Fixing some problems with DNS [2] Open Fastpath Commits == Commit ComponentAuthor DateSummary --- --- - -- -- 4fd1098 [3] bro Jon Siwek 2014-03-04 Misc. documentation fixes. a2c23b4 [4] btestJon Siwek 2014-03-04 Fix a link in the README. [1] BIT-1147 https://bro-tracker.atlassian.net/browse/BIT-1147 [2] dns-srv-fix https://github.com/bro/bro/tree/topic/seth/dns-srv-fix [3] 4fd1098 https://github.com/bro/bro/commit/4fd1098949183a4c0e0f4aa7aa724220a1929d19 [4] a2c23b4 https://github.com/bro/btest/commit/a2c23b4ffe4b58f0b5c186f156f9111f15ac4a3b ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
