[Bro-Dev] [JIRA] (BIT-1255) TCP reassembly issue
[ https://bro-tracker.atlassian.net/browse/BIT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19804#comment-19804 ] Vern Paxson commented on BIT-1255: -- That behavior is to not chew up tons of buffer when asymmetric routing leads to not seeing any acks. *However* I'm finding that modern traffic not infrequently is using much larger initial windows such that indeed there's routinely > 4KB of data at the beginning of a flow without any acknowledgments. I think this value needs to be cranked to at least 16KB lest a lot of routine traffic goes unanalyzed. > TCP reassembly issue > > > Key: BIT-1255 > URL: https://bro-tracker.atlassian.net/browse/BIT-1255 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Affects Versions: git/master, 2.3 > Environment: CentOS 6 >Reporter: Jimmy Jones > Attachments: out.pcap > > > Been testing bro with some messy (but valid) TCP streams, using docker and > netem (happy to upload a gist if people are interested). > The attached file reassembles correctly in wireshark, but bro only gives the > first 4069 bytes when extracted with the file analysis framework, and > obviously the wrong hash (md5 is the URI). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker
[ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1319: - Assignee: Robin Sommer > topic/jsiwek/broker > --- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro >Reporter: Jon Siwek >Assignee: Robin Sommer > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the > initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I > will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on > Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, > optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld
[ https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19803#comment-19803 ] Daniel Thayer commented on BIT-1320: I just added another commit to this branch to address an issue reported on the bro mailing list involving PF_RING+DNA interface names. > topic/jazoff/broctld > > > Key: BIT-1320 > URL: https://bro-tracker.atlassian.net/browse/BIT-1320 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl >Reporter: Daniel Thayer > Fix For: 2.4 > > > Branch topic/jazoff/broctld in the broctl repo contains significant code > reorganization > for the upcoming broctld. Here is a high-level list of changes: > 1) Refactor broctl to make it usable as a library (reduce global state, > module-level setup code, and functions return results instead of printing), > 2) Integrate ssh_runner code into broctl to fix current problems (use only > one connection per host instead of one per Bro node, broctl shouldn't hang > when a host goes down or if we forgot to run "broctl install"), > 3) Write state info using SQLite state storage instead of writing to a plain > text file (broctl.dat), > 4) When the node config changes, we now do additional checks if there are > any Bro nodes running that are no longer in our node config and warn user if > any are detected, > 5) Keep track of the expected state (running or stopped) of each Bro node, > and have broctl cron start or stop nodes as needed, > 6) Improved broctl cron by adding two new options (MailHostUpDown and > StatsLogEnable) to enable users the option to turn off unwanted functionality > to speed up broctl cron and reduce the chance of errors, > 7) When broctl cron tries to send email but fails, now it will output a > message that includes the text it was trying to mail, > 8) Silence warning messages (that are intended for interactive use of broctl) > when broctl cron runs to reduce unwanted emails from cron, > 9) Added new broctl option StatusCmdShowAll to enable users to speed up > "broctl status" significantly, > 10) Fixed the stats-to-csv script to not create files that can never include > any data, > 11) Fixed archive-log script to detect exit status of gzip or cp command, so > that we don't delete log file when the archival fails, > 12) Improved post-terminate script to process log files more consistently, > 13) Made all broctl command output go to stdout (previously, some output > would go to stderr, which made grepping or redirecting the output more > difficult), > 14) Improved the default broctl.cfg file to show more of the useful options, > 15) Added more error checks to help catch errors earlier, > 16) Some error message output is more specific and helpful now > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [Auto] Merge Status
Open Merge Requests === IDComponentReporter AssigneeUpdated For Version PrioritySummary --- - -- -- - -- BIT-1322 [1] BTestDaniel Thayer - 2015-02-26 2.4 Normal btest should warn when using -T option but cannot create timing baseline BIT-1321 [2] Bro Johanna Amann - 2015-02-25 2.4 Normal Merge topic/johanna/ssl-policy BIT-1320 [3] BroControl Daniel Thayer - 2015-02-25 2.4 Normal topic/jazoff/broctld [4] BIT-1319 [5] Bro Jon Siwek - 2015-02-26 2.4 Normal topic/jsiwek/broker [6] BIT-1270 [7] Bro gclark gclark 2015-02-22 - Normal topic/gilbert/plugin-api-tweak [8] Open GitHub Pull Requests = Issue ComponentUserUpdated Title --- -- -- - #25 [9] bro eunsilhan [10] 2015-02-24 Topic/jshlbrd/rdp [11] #24 [12] bro msmiley [13]2015-02-24 add bytes_recvd to Stats and stats.bro for reporting [14] [1] BIT-1322 https://bro-tracker.atlassian.net/browse/BIT-1322 [2] BIT-1321 https://bro-tracker.atlassian.net/browse/BIT-1321 [3] BIT-1320 https://bro-tracker.atlassian.net/browse/BIT-1320 [4] broctld https://github.com/bro/brocontrol/tree/topic/jazoff/broctld [5] BIT-1319 https://bro-tracker.atlassian.net/browse/BIT-1319 [6] broker https://github.com/bro/bro/tree/topic/jsiwek/broker [7] BIT-1270 https://bro-tracker.atlassian.net/browse/BIT-1270 [8] plugin-api-tweak https://github.com/bro/bro/tree/topic/gilbert/plugin-api-tweak [9] Pull Request #25 https://github.com/bro/bro/pull/25 [10] eunsilhanhttps://github.com/eunsilhan [11] Merge Pull Request #25 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git topic/jshlbrd/rdp [12] Pull Request #24 https://github.com/bro/bro/pull/24 [13] msmiley https://github.com/msmiley [14] Merge Pull Request #24 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git stats-bytes-recvd ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
