[Bro-Dev] [JIRA] (BIT-1343) Add Support for Including Common PAC Files
grigorescu created BIT-1343: --- Summary: Add Support for Including Common PAC Files Key: BIT-1343 URL: https://bro-tracker.atlassian.net/browse/BIT-1343 Project: Bro Issue Tracker Issue Type: Problem Components: BinPAC Reporter: grigorescu Priority: Low With some new analyzers, we're duplicating code that we're shipping with Bro, due to a limitation in BinPAC - currently, BinPAC doesn't support %include-ing files from other directories. ASN.1 is a good example of this - SNMP and Kerberos both need a copy of the same ASN.1 parsing code. SMB also has some overlap with other analyzers. I tried the obvious fix of adding parsing support for {{%include ../snmp/asn1.pac}}, but the include paths get mixed up and compilation fails. I believe this should be a relatively simple fix. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] grigorescu updated BIT-1344: Status: Merge Request (was: Open) New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: grigorescu The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
grigorescu created BIT-1344: --- Summary: New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: grigorescu The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-947) Incorrect size calculation for SSH failed/successful heuristic
[ https://bro-tracker.atlassian.net/browse/BIT-947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20020#comment-20020 ] grigorescu commented on BIT-947: Yes - since the new SSH analyzer does away with the heuristic entirely, this issue will be addressed. Incorrect size calculation for SSH failed/successful heuristic -- Key: BIT-947 URL: https://bro-tracker.atlassian.net/browse/BIT-947 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: grigorescu Priority: Low Fix For: 2.4 We're getting a lot of false positives for successful SSH logins from a source that we recently blackholed. I suspect what's happening is that the retransmissions keep bumping up the size of the connection, until it crosses the threshold for a successful connection. With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it possible to improve the accuracy of the reported size? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [Auto] Merge Status
Open Merge Requests === IDComponent Reporter AssigneeUpdated For Version PrioritySummary - -- -- - -- - BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) BIT-1303 [2] pysubnettree Daniel Thayer - 2015-03-17 2.4 Normal pysubnettree tests should be changed to use btest Open Fastpath Commits == Commit ComponentAuthor DateSummary --- --- - -- --- 31795e7 [3] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing Open GitHub Pull Requests = IssueComponentUser Updated Title --- --- - -- -- #28 [4] bro aeppert [5]2015-03-18 Seems to fix a case where an entry in the table may be null on insert. [6] #27 [7] bro petiepooo [8] 2015-03-14 Add defensive check for localtime_r() call [9] [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] BIT-1303 https://bro-tracker.atlassian.net/browse/BIT-1303 [3] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 [4] Pull Request #28 https://github.com/bro/bro/pull/28 [5] aeppert https://github.com/aeppert [6] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master [7] Pull Request #27 https://github.com/bro/bro/pull/27 [8] petiepooohttps://github.com/petiepooo [9] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1326) Broctl installation requires sqlite but does not check for its presence
[ https://bro-tracker.atlassian.net/browse/BIT-1326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20022#comment-20022 ] Aashish Sharma commented on BIT-1326: - I am trying to test some stuff with the current master on FreeBSD. Any idea when this would be fixed and/or any hints on a workaround ? Thanks, Broctl installation requires sqlite but does not check for its presence --- Key: BIT-1326 URL: https://bro-tracker.atlassian.net/browse/BIT-1326 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Trying to start broctl on a new installation of FreeBSD with a standard python installation results in the following error message upon first start: {code} [bro@marge ~/master]$ broctl Traceback (most recent call last): File /xa/bro/master/bin/broctl, line 29, in module from BroControl.broctl import BroCtl File /xa/bro/master/lib/broctl/BroControl/broctl.py, line 8, in module from BroControl import util File /xa/bro/master/lib/broctl/BroControl/util.py, line 6, in module from BroControl import config File /xa/bro/master/lib/broctl/BroControl/config.py, line 10, in module from .state import SqliteState File /xa/bro/master/lib/broctl/BroControl/state.py, line 2, in module import sqlite3 File /usr/local/lib/python2.7/sqlite3/__init__.py, line 24, in module from dbapi2 import * File /usr/local/lib/python2.7/sqlite3/dbapi2.py, line 28, in module from _sqlite3 import * ImportError: No module named _sqlite3 {code} We should probably check for the module in cmake and refuse installation if it is not present. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1326) Broctl installation requires sqlite but does not check for its presence
[ https://bro-tracker.atlassian.net/browse/BIT-1326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20023#comment-20023 ] Daniel Thayer commented on BIT-1326: On FreeBSD, you need to install a package called py27-sqlite3. Broctl installation requires sqlite but does not check for its presence --- Key: BIT-1326 URL: https://bro-tracker.atlassian.net/browse/BIT-1326 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Trying to start broctl on a new installation of FreeBSD with a standard python installation results in the following error message upon first start: {code} [bro@marge ~/master]$ broctl Traceback (most recent call last): File /xa/bro/master/bin/broctl, line 29, in module from BroControl.broctl import BroCtl File /xa/bro/master/lib/broctl/BroControl/broctl.py, line 8, in module from BroControl import util File /xa/bro/master/lib/broctl/BroControl/util.py, line 6, in module from BroControl import config File /xa/bro/master/lib/broctl/BroControl/config.py, line 10, in module from .state import SqliteState File /xa/bro/master/lib/broctl/BroControl/state.py, line 2, in module import sqlite3 File /usr/local/lib/python2.7/sqlite3/__init__.py, line 24, in module from dbapi2 import * File /usr/local/lib/python2.7/sqlite3/dbapi2.py, line 28, in module from _sqlite3 import * ImportError: No module named _sqlite3 {code} We should probably check for the module in cmake and refuse installation if it is not present. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related
[ https://bro-tracker.atlassian.net/browse/BIT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1346: --- Fix Version/s: 2.4 Val::CONVERTER Fatal Error - Sumstats Related - Key: BIT-1346 URL: https://bro-tracker.atlassian.net/browse/BIT-1346 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Aaron Eppert Priority: Critical Labels: sumstats Fix For: 2.4 Bro 2.3-451-debug Linux 2.6.32-504.8.1.el6.x86_64 reporter.log {ts:1426643084.0629,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643086.504566,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643089.234903,level:Reporter::ERROR,message:extra base64 groups after \u0027=\u0027 padding are ignored,location:} {ts:1426643089.234903,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643093.283505,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643095.710806,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643098.094734,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643108.020824,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643110.429037,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643122.957015,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} stderr.log internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: unlimited unlimited unlimited unlimited fatal error in no location: Val::CONVERTER (string/port) (80/tcp) stdout.log max memory size (kbytes, -m) unlimited data seg size (kbytes, -d) unlimited virtual memory (kbytes, -v) unlimited core file size (blocks, -c) unlimited .cmdline -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE=manager .status TERMINATED [atexit] No prof.log No packet_filter.log No loaded_scripts.log #0 0x003345c32625 in raise () from /lib64/libc.so.6 #1 0x003345c33e05 in abort () from /lib64/libc.so.6 #2 0x007847d9 in Reporter::FatalError (this=0x1ba5490, fmt=0xaf4f56 %s) at /root/ane/bro/src/Reporter.cc:92 #3 0x0078bfb4 in BroObj::BadTag (this=0x4edeb20, msg=0xaeaeae Val::CONVERTER, t1=0xb05a89 string, t2=0xb05aa3 port) at /root/ane/bro/src/Obj.cc:134 #4 0x00770c1c in Val::AsPortVal (this=0x4edeb20) at /root/ane/bro/src/Val.h:282 #5 0x0075aecd in BifFunc::bro_get_port_transport_proto ( frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 #6 0x0074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 #7 0x00740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) at /root/ane/bro/src/Expr.cc:4920 #8 0x007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) at /root/ane/bro/src/Expr.cc:2669 #9 0x007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 #10
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1344: -- Assignee: Johanna Amann New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: grigorescu Assignee: Johanna Amann The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1345) Crash due to a bad dictionary insert
Aaron Eppert created BIT-1345: - Summary: Crash due to a bad dictionary insert Key: BIT-1345 URL: https://bro-tracker.atlassian.net/browse/BIT-1345 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Aaron Eppert Priority: High #0 0x00713b87 in Dictionary::Insert (this=0x1339840, new_entry=0xb18a9d0, copy_key=0) at /root/redacted/bro/src/Dict.cc:419 #1 0x007130b0 in Dictionary::Insert (this=0x1339840, key=0xa23f6d0, key_size=36, hash=658668102, val=0x67fde40, copy_key=0) at /root/redacted/bro/src/Dict.cc:158 #2 0x006cb508 in Dictionary::Insert (this=0x1339840, key=0x74ba81b0, val=0x67fde40) at /root/redacted/bro/src/Dict.h:47 #3 0x0077ee9b in IDPDict::Insert (this=0x1339840, key=0xebf780 #redacted-redacted.redacted.redacted#21703#1182, val=0x67fde40) at /root/redacted/bro/src/Scope.h:18 #4 0x0077ef05 in Scope::Insert (this=0x133a8b0, name=0xebf780 #redacted-redacted.redacted.redacted#21703#1182, id=0x67fde40) at /root/redacted/bro/src/Scope.h:26 #5 0x008010cc in MutableVal::Bind (this=0x14f451f0) at /root/redacted/bro/src/Val.cc:624 #6 0x00800ec8 in MutableVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:558 #7 0x0080a8d6 in RecordVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:2866 #8 0x00805948 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, k=0x0, new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1502 #9 0x00805501 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1442 #10 0x00738b13 in IndexExpr::Assign (this=0x2087350, f=0x12073280, v=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:3135 #11 0x007362a2 in RefExpr::Assign (this=0x2087540, f=0x12073280, v=0x14f451f0, opcode=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:2463 #12 0x007370ea in AssignExpr::Eval (this=0x20874d0, f=0x12073280) at /root/redacted/bro/src/Expr.cc:2673 #13 0x007e22bb in ExprStmt::Exec (this=0x2087660, f=0x12073280, flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:369 #14 0x007e8375 in StmtList::Exec (this=0x2082c80, f=0x12073280, flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:1764 #15 0x0074e6cd in BroFunc::Call (this=0x2087e70, args=0x13525bb0, parent=0x0) at /root/redacted/bro/src/Func.cc:386 #16 0x00725883 in EventHandler::Call (this=0x2082160, vl=0x13525bb0, no_remote=false) at /root/redacted/bro/src/EventHandler.cc:80 #17 0x006d8cc2 in Event::Dispatch (this=0x620e610, no_remote=false) at /root/redacted/bro/src/Event.h:50 #18 0x00724ef7 in EventMgr::Dispatch (this=0xebd400) at /root/redacted/bro/src/Event.cc:111 #19 0x00725032 in EventMgr::Drain (this=0xebd400) at /root/redacted/bro/src/Event.cc:128 #20 0x00788828 in net_packet_dispatch (t=1426626559.98401, hdr=0x3314d40, pkt=0x7f14a8b464cc Address 0x7f14a8b464cc out of bounds, hdr_size=14, src_ps=0x3314c00) at /root/redacted/bro/src/Net.cc:278 #21 0x00a786d5 in iosource::PktSrc::Process (this=0x3314c00) at /root/redacted/bro/src/iosource/PktSrc.cc:411 #22 0x007889f8 in net_run () at /root/redacted/bro/src/Net.cc:320 #23 0x006d8157 in main (argc=20, argv=0x74ba9188) at /root/redacted/bro/src/main.cc:1200 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1345) Crash due to a bad dictionary insert
[ https://bro-tracker.atlassian.net/browse/BIT-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20021#comment-20021 ] Aaron Eppert commented on BIT-1345: --- https://github.com/bro/bro/pull/28 is the proposed fix for this problem. Crash due to a bad dictionary insert Key: BIT-1345 URL: https://bro-tracker.atlassian.net/browse/BIT-1345 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Aaron Eppert Priority: High #0 0x00713b87 in Dictionary::Insert (this=0x1339840, new_entry=0xb18a9d0, copy_key=0) at /root/redacted/bro/src/Dict.cc:419 #1 0x007130b0 in Dictionary::Insert (this=0x1339840, key=0xa23f6d0, key_size=36, hash=658668102, val=0x67fde40, copy_key=0) at /root/redacted/bro/src/Dict.cc:158 #2 0x006cb508 in Dictionary::Insert (this=0x1339840, key=0x74ba81b0, val=0x67fde40) at /root/redacted/bro/src/Dict.h:47 #3 0x0077ee9b in IDPDict::Insert (this=0x1339840, key=0xebf780 #redacted-redacted.redacted.redacted#21703#1182, val=0x67fde40) at /root/redacted/bro/src/Scope.h:18 #4 0x0077ef05 in Scope::Insert (this=0x133a8b0, name=0xebf780 #redacted-redacted.redacted.redacted#21703#1182, id=0x67fde40) at /root/redacted/bro/src/Scope.h:26 #5 0x008010cc in MutableVal::Bind (this=0x14f451f0) at /root/redacted/bro/src/Val.cc:624 #6 0x00800ec8 in MutableVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:558 #7 0x0080a8d6 in RecordVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:2866 #8 0x00805948 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, k=0x0, new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1502 #9 0x00805501 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1442 #10 0x00738b13 in IndexExpr::Assign (this=0x2087350, f=0x12073280, v=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:3135 #11 0x007362a2 in RefExpr::Assign (this=0x2087540, f=0x12073280, v=0x14f451f0, opcode=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:2463 #12 0x007370ea in AssignExpr::Eval (this=0x20874d0, f=0x12073280) at /root/redacted/bro/src/Expr.cc:2673 #13 0x007e22bb in ExprStmt::Exec (this=0x2087660, f=0x12073280, flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:369 #14 0x007e8375 in StmtList::Exec (this=0x2082c80, f=0x12073280, flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:1764 #15 0x0074e6cd in BroFunc::Call (this=0x2087e70, args=0x13525bb0, parent=0x0) at /root/redacted/bro/src/Func.cc:386 #16 0x00725883 in EventHandler::Call (this=0x2082160, vl=0x13525bb0, no_remote=false) at /root/redacted/bro/src/EventHandler.cc:80 #17 0x006d8cc2 in Event::Dispatch (this=0x620e610, no_remote=false) at /root/redacted/bro/src/Event.h:50 #18 0x00724ef7 in EventMgr::Dispatch (this=0xebd400) at /root/redacted/bro/src/Event.cc:111 #19 0x00725032 in EventMgr::Drain (this=0xebd400) at /root/redacted/bro/src/Event.cc:128 #20 0x00788828 in net_packet_dispatch (t=1426626559.98401, hdr=0x3314d40, pkt=0x7f14a8b464cc Address 0x7f14a8b464cc out of bounds, hdr_size=14, src_ps=0x3314c00) at /root/redacted/bro/src/Net.cc:278 #21 0x00a786d5 in iosource::PktSrc::Process (this=0x3314c00) at /root/redacted/bro/src/iosource/PktSrc.cc:411 #22 0x007889f8 in net_run () at /root/redacted/bro/src/Net.cc:320 #23 0x006d8157 in main (argc=20, argv=0x74ba9188) at /root/redacted/bro/src/main.cc:1200 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1345) Crash due to a bad dictionary insert
[ https://bro-tracker.atlassian.net/browse/BIT-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1345: --- Fix Version/s: 2.4 Crash due to a bad dictionary insert Key: BIT-1345 URL: https://bro-tracker.atlassian.net/browse/BIT-1345 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Aaron Eppert Priority: High Fix For: 2.4 #0 0x00713b87 in Dictionary::Insert (this=0x1339840, new_entry=0xb18a9d0, copy_key=0) at /root/redacted/bro/src/Dict.cc:419 #1 0x007130b0 in Dictionary::Insert (this=0x1339840, key=0xa23f6d0, key_size=36, hash=658668102, val=0x67fde40, copy_key=0) at /root/redacted/bro/src/Dict.cc:158 #2 0x006cb508 in Dictionary::Insert (this=0x1339840, key=0x74ba81b0, val=0x67fde40) at /root/redacted/bro/src/Dict.h:47 #3 0x0077ee9b in IDPDict::Insert (this=0x1339840, key=0xebf780 #redacted-redacted.redacted.redacted#21703#1182, val=0x67fde40) at /root/redacted/bro/src/Scope.h:18 #4 0x0077ef05 in Scope::Insert (this=0x133a8b0, name=0xebf780 #redacted-redacted.redacted.redacted#21703#1182, id=0x67fde40) at /root/redacted/bro/src/Scope.h:26 #5 0x008010cc in MutableVal::Bind (this=0x14f451f0) at /root/redacted/bro/src/Val.cc:624 #6 0x00800ec8 in MutableVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:558 #7 0x0080a8d6 in RecordVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:2866 #8 0x00805948 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, k=0x0, new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1502 #9 0x00805501 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1442 #10 0x00738b13 in IndexExpr::Assign (this=0x2087350, f=0x12073280, v=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:3135 #11 0x007362a2 in RefExpr::Assign (this=0x2087540, f=0x12073280, v=0x14f451f0, opcode=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:2463 #12 0x007370ea in AssignExpr::Eval (this=0x20874d0, f=0x12073280) at /root/redacted/bro/src/Expr.cc:2673 #13 0x007e22bb in ExprStmt::Exec (this=0x2087660, f=0x12073280, flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:369 #14 0x007e8375 in StmtList::Exec (this=0x2082c80, f=0x12073280, flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:1764 #15 0x0074e6cd in BroFunc::Call (this=0x2087e70, args=0x13525bb0, parent=0x0) at /root/redacted/bro/src/Func.cc:386 #16 0x00725883 in EventHandler::Call (this=0x2082160, vl=0x13525bb0, no_remote=false) at /root/redacted/bro/src/EventHandler.cc:80 #17 0x006d8cc2 in Event::Dispatch (this=0x620e610, no_remote=false) at /root/redacted/bro/src/Event.h:50 #18 0x00724ef7 in EventMgr::Dispatch (this=0xebd400) at /root/redacted/bro/src/Event.cc:111 #19 0x00725032 in EventMgr::Drain (this=0xebd400) at /root/redacted/bro/src/Event.cc:128 #20 0x00788828 in net_packet_dispatch (t=1426626559.98401, hdr=0x3314d40, pkt=0x7f14a8b464cc Address 0x7f14a8b464cc out of bounds, hdr_size=14, src_ps=0x3314c00) at /root/redacted/bro/src/Net.cc:278 #21 0x00a786d5 in iosource::PktSrc::Process (this=0x3314c00) at /root/redacted/bro/src/iosource/PktSrc.cc:411 #22 0x007889f8 in net_run () at /root/redacted/bro/src/Net.cc:320 #23 0x006d8157 in main (argc=20, argv=0x74ba9188) at /root/redacted/bro/src/main.cc:1200 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related
Aaron Eppert created BIT-1346: - Summary: Val::CONVERTER Fatal Error - Sumstats Related Key: BIT-1346 URL: https://bro-tracker.atlassian.net/browse/BIT-1346 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Aaron Eppert Priority: Critical Bro 2.3-451-debug Linux 2.6.32-504.8.1.el6.x86_64 reporter.log {ts:1426643084.0629,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643086.504566,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643089.234903,level:Reporter::ERROR,message:extra base64 groups after \u0027=\u0027 padding are ignored,location:} {ts:1426643089.234903,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643093.283505,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643095.710806,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643098.094734,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643108.020824,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643110.429037,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} {ts:1426643122.957015,level:Reporter::ERROR,message:incomplete base64 group, padding with 12 bits of 0,location:} stderr.log internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: unlimited unlimited unlimited unlimited fatal error in no location: Val::CONVERTER (string/port) (80/tcp) stdout.log max memory size (kbytes, -m) unlimited data seg size (kbytes, -d) unlimited virtual memory (kbytes, -v) unlimited core file size (blocks, -c) unlimited .cmdline -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE=manager .status TERMINATED [atexit] No prof.log No packet_filter.log No loaded_scripts.log #0 0x003345c32625 in raise () from /lib64/libc.so.6 #1 0x003345c33e05 in abort () from /lib64/libc.so.6 #2 0x007847d9 in Reporter::FatalError (this=0x1ba5490, fmt=0xaf4f56 %s) at /root/ane/bro/src/Reporter.cc:92 #3 0x0078bfb4 in BroObj::BadTag (this=0x4edeb20, msg=0xaeaeae Val::CONVERTER, t1=0xb05a89 string, t2=0xb05aa3 port) at /root/ane/bro/src/Obj.cc:134 #4 0x00770c1c in Val::AsPortVal (this=0x4edeb20) at /root/ane/bro/src/Val.h:282 #5 0x0075aecd in BifFunc::bro_get_port_transport_proto ( frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 #6 0x0074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 #7 0x00740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) at /root/ane/bro/src/Expr.cc:4920 #8 0x007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) at /root/ane/bro/src/Expr.cc:2669 #9 0x007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 #10 0x007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 #11 0x007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 #12 0x007e8379 in
[Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/dtls
[ https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1347: --- Summary: Please merge topic/johanna/dtls (was: Please merge topic/johanna/tls) Please merge topic/johanna/dtls --- Key: BIT-1347 URL: https://bro-tracker.atlassian.net/browse/BIT-1347 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Labels: dtls, ssl Fix For: 2.4 Please merge topic/johanna/dtls First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is mostly handled just like SSL. It emits the same events and thus works seamlessly with the current SSL scripts in the Bro core. Furthermore, it implements TLS record layer defragmentation for the TLS Handshake protocol enabling us e.g. to deal with connections containing large certificates. The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/tls
[ https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1347: --- Status: Merge Request (was: Open) Please merge topic/johanna/tls -- Key: BIT-1347 URL: https://bro-tracker.atlassian.net/browse/BIT-1347 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Labels: dtls, ssl Fix For: 2.4 Please merge topic/johanna/dtls First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is mostly handled just like SSL. It emits the same events and thus works seamlessly with the current SSL scripts in the Bro core. Furthermore, it implements TLS record layer defragmentation for the TLS Handshake protocol enabling us e.g. to deal with connections containing large certificates. The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/tls
Johanna Amann created BIT-1347: -- Summary: Please merge topic/johanna/tls Key: BIT-1347 URL: https://bro-tracker.atlassian.net/browse/BIT-1347 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Please merge topic/johanna/dtls First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is mostly handled just like SSL. It emits the same events and thus works seamlessly with the current SSL scripts in the Bro core. Furthermore, it implements TLS record layer defragmentation for the TLS Handshake protocol enabling us e.g. to deal with connections containing large certificates. The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1348) topic/dnthayer/fix-typos
[ https://bro-tracker.atlassian.net/browse/BIT-1348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1348: --- Status: Merge Request (was: Open) topic/dnthayer/fix-typos Key: BIT-1348 URL: https://bro-tracker.atlassian.net/browse/BIT-1348 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Daniel Thayer Fix For: 2.4 The branch topic/dnthayer/fix-typos in the bro-plugins repo contains a few small doc fixes, and a portability improvement for the configure script. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1348) topic/dnthayer/fix-typos
Daniel Thayer created BIT-1348: -- Summary: topic/dnthayer/fix-typos Key: BIT-1348 URL: https://bro-tracker.atlassian.net/browse/BIT-1348 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Daniel Thayer Fix For: 2.4 The branch topic/dnthayer/fix-typos in the bro-plugins repo contains a few small doc fixes, and a portability improvement for the configure script. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-342: -- Status: Merge Request (was: Open) Add payload to ICMP analyzer Key: BIT-342 URL: https://bro-tracker.atlassian.net/browse/BIT-342 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 1.5.2 Reporter: Seth Hall Assignee: Jon Siwek Fix For: 2.4 Attachments: ICMP-add-payload.diff This is a patch from Julien Sentier on the mailing list that makes ICMP payloads available at the scripting layer. Is there a reason this isn't already available? I would have committed it to fastpath except I don't know if it's not already doing this due to the potential overhead of creating a lot of strings in ICMP floods. At the very least, I suppose it could be optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev