[Bro-Dev] [Auto] Merge Status
Open Merge Requests
===
IDComponent Reporter Assignee Updated For
VersionPrioritySummary
- - --
- --
---
BIT-1347 [1] Bro Johanna Amann - 2015-03-18 2.4
Normal Please merge topic/johanna/dtls
BIT-1344 [2] Bro grigorescu Johanna Amann 2015-03-18 -
Normal New SSH Analyzer
BIT-1340 [3] Bro Seth Hall Jon Siwek 2015-03-13 2.4
Normal RDP analyzer (topic/seth/rdp)
BIT-1324 [4] Bro Justin Azoff - 2015-03-19 2.4
Low default_path_func does weird things to underscores
BIT-1303 [5] pysubnettree Daniel Thayer - 2015-03-17 2.4
Normal pysubnettree tests should be changed to use btest
BIT-1199 [6] Bro grigorescu - 2015-03-19 2.4
Normal Better error messages for input file errors in READER_ASCII
BIT-788 [7] Bro juliensentier - 2015-03-19 2.4
Normal Good analysis of unidirectional DNS flows
BIT-342 [8] Bro Seth Hall - 2015-03-19 2.4
Normal Add payload to ICMP analyzer
Open Fastpath Commits
==
CommitComponentAuthor DateSummary
--- - --
---
eec7f77 [9] bro Daniel Thayer 2015-03-18 Correct a spelling error
31795e7 [10] bro Johanna Amann 2015-03-10 When setting the SSL
analyzer to fail, also stop processing
Open GitHub Pull Requests
=
Issue ComponentUserUpdated Title
--- -- --
---
#28 [11] bro aeppert [12]2015-03-20 Seems to fix a case where an
entry in the table may be null on insert. [13]
#27 [14] bro petiepooo [15] 2015-03-14 Add defensive check for
localtime_r() call [16]
[1] BIT-1347
https://bro-tracker.atlassian.net/browse/BIT-1347
[2] BIT-1344
https://bro-tracker.atlassian.net/browse/BIT-1344
[3] BIT-1340
https://bro-tracker.atlassian.net/browse/BIT-1340
[4] BIT-1324
https://bro-tracker.atlassian.net/browse/BIT-1324
[5] BIT-1303
https://bro-tracker.atlassian.net/browse/BIT-1303
[6] BIT-1199
https://bro-tracker.atlassian.net/browse/BIT-1199
[7] BIT-788
https://bro-tracker.atlassian.net/browse/BIT-788
[8] BIT-342
https://bro-tracker.atlassian.net/browse/BIT-342
[9] eec7f77
https://github.com/bro/bro/commit/eec7f77913e0385d83bbd9b086ae5e3e2c1cd4bb
[10] 31795e7
https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3
[11] Pull Request #28 https://github.com/bro/bro/pull/28
[12] aeppert https://github.com/aeppert
[13] Merge Pull Request #28 with git pull --no-ff --no-commit
https://github.com/aeppert/bro.git master
[14] Pull Request #27 https://github.com/bro/bro/pull/27
[15] petiepooohttps://github.com/petiepooo
[16] Merge Pull Request #27 with git pull --no-ff --no-commit
https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1303) pysubnettree tests should be changed to use btest
[ https://bro-tracker.atlassian.net/browse/BIT-1303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1303: -- Assignee: Jon Siwek > pysubnettree tests should be changed to use btest > - > > Key: BIT-1303 > URL: https://bro-tracker.atlassian.net/browse/BIT-1303 > Project: Bro Issue Tracker > Issue Type: Problem > Components: pysubnettree >Reporter: Daniel Thayer >Assignee: Jon Siwek > Fix For: 2.4 > > > The test cases in pysubnettree should be changed to use btest > so that the tests are easier to run and can be better organized > by splitting them into multiple test files. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-944) @bro-meta index in ES writer
[ https://bro-tracker.atlassian.net/browse/BIT-944?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-944: -- Fix Version/s: (was: 2.4) 2.5 > @bro-meta index in ES writer > > > Key: BIT-944 > URL: https://bro-tracker.atlassian.net/browse/BIT-944 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall >Priority: Low > Fix For: 2.5 > > > The elasticsearch writer isn't creating/modifying the required (for Brownian) > @bro-meta index when using the ReLog script to import old logs because > rotation is disabled when importing logs. For now the right answer is to > probably just leave off out the start and end fields and write to the index > in the UpdateIndex method if rotation is disabled. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1221) DPD website docs out of date
[
https://bro-tracker.atlassian.net/browse/BIT-1221?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jon Siwek updated BIT-1221:
---
Resolution: Fixed
Status: Closed (was: Open)
> DPD website docs out of date
>
>
> Key: BIT-1221
> URL: https://bro-tracker.atlassian.net/browse/BIT-1221
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Website
>Reporter: Jon Siwek
>Assignee: Jon Siwek
> Fix For: 2.4
>
>
> http://www.bro.org/development/howtos/dpd.html
> Some parts of that document reference old code. At a glance, {{dpd_config}},
> {{DPM}}, and the use of {{int}} as the type for sequence numbers are things
> that pop out at me.
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-944) @bro-meta index in ES writer
[ https://bro-tracker.atlassian.net/browse/BIT-944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20100#comment-20100 ] Seth Hall commented on BIT-944: --- Yep, it's going to need to get rescheduled. > @bro-meta index in ES writer > > > Key: BIT-944 > URL: https://bro-tracker.atlassian.net/browse/BIT-944 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall >Priority: Low > Fix For: 2.5 > > > The elasticsearch writer isn't creating/modifying the required (for Brownian) > @bro-meta index when using the ReLog script to import old logs because > rotation is disabled when importing logs. For now the right answer is to > probably just leave off out the start and end fields and write to the index > in the UpdateIndex method if rotation is disabled. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1303) pysubnettree tests should be changed to use btest
[ https://bro-tracker.atlassian.net/browse/BIT-1303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1303: --- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > pysubnettree tests should be changed to use btest > - > > Key: BIT-1303 > URL: https://bro-tracker.atlassian.net/browse/BIT-1303 > Project: Bro Issue Tracker > Issue Type: Problem > Components: pysubnettree >Reporter: Daniel Thayer >Assignee: Jon Siwek > Fix For: 2.4 > > > The test cases in pysubnettree should be changed to use btest > so that the tests are easier to run and can be better organized > by splitting them into multiple test files. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1351) Rename the ASCII writer to file writer
[ https://bro-tracker.atlassian.net/browse/BIT-1351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20101#comment-20101 ] Jon Siwek commented on BIT-1351: Is this meant to be scheduled for 2.4 ? If so, please set the Fix Version field to 2.4 (or possibly something else or not at all depending on where/whether you want it on the roadmap). > Rename the ASCII writer to file writer > -- > > Key: BIT-1351 > URL: https://bro-tracker.atlassian.net/browse/BIT-1351 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro >Affects Versions: git/master, 2.3 >Reporter: grigorescu >Priority: Low > Labels: logging > > With the addition of the JSON output format, the ASCII log writer is a bit of > a misnomer. This is a reminder based on a discussion that Seth and Robin had > to rename this to be a bit more accurate. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1351) Rename the ASCII writer to file writer
[ https://bro-tracker.atlassian.net/browse/BIT-1351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20102#comment-20102 ] grigorescu commented on BIT-1351: - No, this was just meant as a reminder. I don't think 2.4 is reasonable or worth it. > Rename the ASCII writer to file writer > -- > > Key: BIT-1351 > URL: https://bro-tracker.atlassian.net/browse/BIT-1351 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro >Affects Versions: git/master, 2.3 >Reporter: grigorescu >Priority: Low > Labels: logging > > With the addition of the JSON output format, the ASCII log writer is a bit of > a misnomer. This is a reminder based on a discussion that Seth and Robin had > to rename this to be a bit more accurate. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1351) Rename the ASCII writer to file writer
[ https://bro-tracker.atlassian.net/browse/BIT-1351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1351: - Fix Version/s: 2.5 > Rename the ASCII writer to file writer > -- > > Key: BIT-1351 > URL: https://bro-tracker.atlassian.net/browse/BIT-1351 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro >Affects Versions: git/master, 2.3 >Reporter: grigorescu >Priority: Low > Labels: logging > Fix For: 2.5 > > > With the addition of the JSON output format, the ASCII log writer is a bit of > a misnomer. This is a reminder based on a discussion that Seth and Robin had > to rename this to be a bit more accurate. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-342: Assignee: Robin Sommer > Add payload to ICMP analyzer > > > Key: BIT-342 > URL: https://bro-tracker.atlassian.net/browse/BIT-342 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: 1.5.2 >Reporter: Seth Hall >Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: ICMP-add-payload.diff > > > This is a patch from Julien Sentier on the mailing list that makes ICMP > payloads available at the scripting layer. Is there a reason this isn't > already available? I would have committed it to fastpath except I don't know > if it's not already doing this due to the potential overhead of creating a > lot of strings in ICMP floods. At the very least, I suppose it could be > optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows
[ https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-788: Assignee: Robin Sommer > Good analysis of unidirectional DNS flows > - > > Key: BIT-788 > URL: https://bro-tracker.atlassian.net/browse/BIT-788 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: git/master >Reporter: juliensentier >Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: > 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch > > > Some use port udp 53 as a source port for dns requests. > And sometimes, we can miss the DNS request. > In this case, we can rely on the DNS field QR to identify the direction of > the flow. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII
[
https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robin Sommer reassigned BIT-1199:
-
Assignee: Robin Sommer
> Better error messages for input file errors in READER_ASCII
> ---
>
> Key: BIT-1199
> URL: https://bro-tracker.atlassian.net/browse/BIT-1199
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
>Reporter: Vlad Grigorescu
>Assignee: Robin Sommer
> Fix For: 2.4
>
> Attachments: test.intel
>
>
> This came up on the mailing list a few weeks ago. If one tries to load the
> attached file as Intelligence, Bro will error out, with:
> {code}
> internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var
> size: 0
> {code}
> The attached file contains an extra tab after downloader.com.
> It'd be nice if Bro would tell you that this was an issue with the input
> reader, which file it occurred in, and a line number.
> I think generally speaking, if there's an issue with an input file, it'd be
> nice to know the line number.
> (Also, there's a typo in mappimg in the error message that's currently
> displayed).
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores
[
https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robin Sommer reassigned BIT-1324:
-
Assignee: Robin Sommer
> default_path_func does weird things to underscores
> --
>
> Key: BIT-1324
> URL: https://bro-tracker.atlassian.net/browse/BIT-1324
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
>Reporter: Justin Azoff
>Assignee: Robin Sommer
>Priority: Low
> Labels: logging
> Fix For: 2.4
>
>
> The following script creates a
> {noformat}
> foo__b_ar.log
> {noformat}
>
> instead of the expected {noformat}foo_bar{noformat}
> {code}
> module FOO_BAR;
> export {
> redef enum Log::ID += { LOG };
> type Info: record {
> ts: time &log;
> msg: string &log;
> };
> }
> event bro_init() {
> Log::create_stream(LOG, [$columns=Info]);
> local l = [$ts = network_time(), $msg="hello"];
> Log::write(LOG, l);
> print "Logged";
> }
> {code}
> The problem is in script land in default_path_func
> {code}
> local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4);
> print module_parts;
> {code}
> outputs
> {code}
> [FOO, _B, AR]
> {code}
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1226) bad example in quickstart guide
[ https://bro-tracker.atlassian.net/browse/BIT-1226?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1226: --- Resolution: Fixed Status: Closed (was: Open) > bad example in quickstart guide > --- > > Key: BIT-1226 > URL: https://bro-tracker.atlassian.net/browse/BIT-1226 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro >Affects Versions: git/master, 2.3 >Reporter: Jon Siwek >Assignee: Jon Siwek > Labels: documentation > Fix For: 2.4 > > > The quickstart has a "deployment customization" involving watching for an SSH > login to a specific set of hosts. The first problem is the code is wrong; an > updated example is at https://gist.github.com/jsiwek/2a7692aa9f24e197ca9c. > But there's other reasons why this example is not straightforward for new > users. I think it should be replaced with a different example. Should add a > unit test for it as well to make sure it doesn't become outdated. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1352) Certificate validation script does not deal well with root-certs being sent by server
Johanna Amann created BIT-1352: -- Summary: Certificate validation script does not deal well with root-certs being sent by server Key: BIT-1352 URL: https://bro-tracker.atlassian.net/browse/BIT-1352 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Johanna Amann Fix For: 2.4 Currently, the validate-certs script in policy does not deal well with certain certificate chains, where the trust-anchor is being sent by the server. We should be able to fix this by removing the trust-anchor automatically from the chain; solving this might potentially change the way root-certs are currently being loaded into Bro. Example server: access.redhat.com -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger
[
https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Johanna Amann updated BIT-1329:
---
Resolution: Fixed
Status: Closed (was: Open)
This was apparently fixed by some commit.
> BroControl scripts displays meta-information from bro logger
>
>
> Key: BIT-1329
> URL: https://bro-tracker.atlassian.net/browse/BIT-1329
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: BroControl
>Affects Versions: git/master
> Environment: When issuing a broctl status, the output contains meta
> bro-log-lines (like #fields, etc) that we probably do not want to display in
> this case.
> Example:
> {code}
> [BroControl] > scripts manager
> manager scripts are ok.
> #separator \x09
> #set_separator ,
> #empty_field(empty)
> #unset_field-
> #path loaded_scripts
> #open 2015-03-05-13-24-34
> #fields name
> #types string
> /xa/bro/master/share/bro/base/init-bare.bro
> /xa/bro/master/share/bro/base/bif/const.bif.bro
> ...
> /xa/bro/master/share/bro/broctl/check.bro
> #close 2015-03-05-13-24-34
> {code}
>Reporter: Johanna Amann
> Fix For: 2.4
>
>
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time
Johanna Amann created BIT-1353: -- Summary: BroCtl status/top take excessive amount of time Key: BIT-1353 URL: https://bro-tracker.atlassian.net/browse/BIT-1353 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 After running a large bro cluster for a few days on a FreeBSD system (FreeBSD 10.1, 28 physical nodes, 81 worker processes), broctl actions that interact with all nodes seem to take excessive amounts of time (>2 minutes for a broctl status). This was not the case right after starting up the cluster. If there is any way I can help with more information, please let me know what to do. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger
[
https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Johanna Amann updated BIT-1329:
---
Status: Reopened (was: Closed)
Resolution: (was: Fixed)
> BroControl scripts displays meta-information from bro logger
>
>
> Key: BIT-1329
> URL: https://bro-tracker.atlassian.net/browse/BIT-1329
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: BroControl
>Affects Versions: git/master
> Environment: When issuing a broctl status, the output contains meta
> bro-log-lines (like #fields, etc) that we probably do not want to display in
> this case.
> Example:
> {code}
> [BroControl] > scripts manager
> manager scripts are ok.
> #separator \x09
> #set_separator ,
> #empty_field(empty)
> #unset_field-
> #path loaded_scripts
> #open 2015-03-05-13-24-34
> #fields name
> #types string
> /xa/bro/master/share/bro/base/init-bare.bro
> /xa/bro/master/share/bro/base/bif/const.bif.bro
> ...
> /xa/bro/master/share/bro/broctl/check.bro
> #close 2015-03-05-13-24-34
> {code}
>Reporter: Johanna Amann
> Fix For: 2.4
>
>
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/dtls
[ https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1347: - Assignee: Robin Sommer > Please merge topic/johanna/dtls > --- > > Key: BIT-1347 > URL: https://bro-tracker.atlassian.net/browse/BIT-1347 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Johanna Amann >Assignee: Robin Sommer > Labels: dtls, ssl > Fix For: 2.4 > > > Please merge topic/johanna/dtls > First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is > mostly handled just like SSL. It emits the same events and thus works > seamlessly with the current SSL scripts in the Bro core. > Furthermore, it implements TLS record layer defragmentation for the TLS > Handshake protocol enabling us e.g. to deal with connections containing large > certificates. > The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS > analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer > use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger
[
https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20104#comment-20104
]
Johanna Amann commented on BIT-1329:
Sorry, was not fixed, I was stupid...
> BroControl scripts displays meta-information from bro logger
>
>
> Key: BIT-1329
> URL: https://bro-tracker.atlassian.net/browse/BIT-1329
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: BroControl
>Affects Versions: git/master
> Environment: When issuing a broctl status, the output contains meta
> bro-log-lines (like #fields, etc) that we probably do not want to display in
> this case.
> Example:
> {code}
> [BroControl] > scripts manager
> manager scripts are ok.
> #separator \x09
> #set_separator ,
> #empty_field(empty)
> #unset_field-
> #path loaded_scripts
> #open 2015-03-05-13-24-34
> #fields name
> #types string
> /xa/bro/master/share/bro/base/init-bare.bro
> /xa/bro/master/share/bro/base/bif/const.bif.bro
> ...
> /xa/bro/master/share/bro/broctl/check.bro
> #close 2015-03-05-13-24-34
> {code}
>Reporter: Johanna Amann
> Fix For: 2.4
>
>
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger
[
https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Johanna Amann updated BIT-1329:
---
Environment: (was: When issuing a broctl status, the output contains
meta bro-log-lines (like #fields, etc) that we probably do not want to display
in this case.
Example:
{code}
[BroControl] > scripts manager
manager scripts are ok.
#separator \x09
#set_separator,
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2015-03-05-13-24-34
#fields name
#typesstring
/xa/bro/master/share/bro/base/init-bare.bro
/xa/bro/master/share/bro/base/bif/const.bif.bro
...
/xa/bro/master/share/bro/broctl/check.bro
#close2015-03-05-13-24-34
{code})
> BroControl scripts displays meta-information from bro logger
>
>
> Key: BIT-1329
> URL: https://bro-tracker.atlassian.net/browse/BIT-1329
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: BroControl
>Affects Versions: git/master
>Reporter: Johanna Amann
> Fix For: 2.4
>
>
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger
[
https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Johanna Amann updated BIT-1329:
---
Description:
When issuing a broctl scripts, the output contains meta bro-log-lines (like
#fields, etc) that we probably do not want to display in this case.
Example:
{code}
[BroControl] > scripts manager
manager scripts are ok.
#separator \x09
#set_separator,
#empty_field (empty)
#unset_field -
#path loaded_scripts
#open 2015-03-05-13-24-34
#fields name
#typesstring
/xa/bro/master/share/bro/base/init-bare.bro
/xa/bro/master/share/bro/base/bif/const.bif.bro
...
/xa/bro/master/share/bro/broctl/check.bro
#close2015-03-05-13-24-34
{code}
> BroControl scripts displays meta-information from bro logger
>
>
> Key: BIT-1329
> URL: https://bro-tracker.atlassian.net/browse/BIT-1329
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: BroControl
>Affects Versions: git/master
>Reporter: Johanna Amann
> Fix For: 2.4
>
>
> When issuing a broctl scripts, the output contains meta bro-log-lines (like
> #fields, etc) that we probably do not want to display in this case.
> Example:
> {code}
> [BroControl] > scripts manager
> manager scripts are ok.
> #separator \x09
> #set_separator ,
> #empty_field(empty)
> #unset_field-
> #path loaded_scripts
> #open 2015-03-05-13-24-34
> #fields name
> #types string
> /xa/bro/master/share/bro/base/init-bare.bro
> /xa/bro/master/share/bro/base/bif/const.bif.bro
> ...
> /xa/bro/master/share/bro/broctl/check.bro
> #close 2015-03-05-13-24-34
> {code}
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers
[
https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20105#comment-20105
]
Jon Siwek commented on BIT-1306:
Can you check if this small patch helps?
{code}
diff --git a/src/main.cc b/src/main.cc
index fb48bdc..7827302 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -391,6 +391,7 @@ void terminate_bro()
delete event_serializer;
delete state_serializer;
delete event_registry;
+ delete remote_serializer;
delete analyzer_mgr;
delete file_mgr;
delete log_mgr;
{code}
I'm not sure why that got removed (it still exists in 2.3.2), but it might
cause the main Bro processes to not reap its child. The main Bro process being
the one that opened a network interface and the child being the one doing
remote communication, but which inherits the parent's open file descriptors.
So a total guess is that the process forked for remote communication became a
zombie (due to lack of what's in the patch above) and holds an open file
descriptor on the network device.
> bro process would get stuck/freeze with myricom drivers
> ---
>
> Key: BIT-1306
> URL: https://bro-tracker.atlassian.net/browse/BIT-1306
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
>Affects Versions: git/master
> Environment: OS: FreeBSD 9.3-RELEASE-p5 OS
> bro version 2.3-328
> git log -1 --format="%H"
> 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f
>Reporter: Aashish Sharma
> Labels: bro-git, myricom
> Fix For: 2.4
>
>
> When I stop bro (in cluster mode), one of the bro worker process (random)
> would get stuck and wouldn't shutdown, stop or even be killed using kill -s
> 9.
> System has to be ultimately rebooted to remove stuck bro process.
> On running myri_start_stop I see:
> # /usr/local/opt/snf/sbin/myri_start_stop stop
> Removing myri_snf.ko
> kldunload: can't unload file: Device busy
> It appears that the myri_snf.ko driver cannot be unloaded because of the
> stuck bro process. That process still has an open descriptor on the Sniffer
> device/driver and bro process freezes
> More details:
> The bro process is stuck in RNE state
> R Marks a runnable process.
> N The process has reduced CPU scheduling priority (see setpriority(2)).
> E The process is trying to exit.
> Here is an example:
> ### stuck process:
> [bro@01 ~]$ ps auxwww | fgrep 1616
> bro1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04
> /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p
> local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro
> broctl/auto
> when checking for process in proc:
> [bro@c ~]$ ls -l /proc/1616
> ls: /proc/1616: No such file or directory
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-342: - Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) . > Add payload to ICMP analyzer > > > Key: BIT-342 > URL: https://bro-tracker.atlassian.net/browse/BIT-342 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: 1.5.2 >Reporter: Seth Hall >Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: ICMP-add-payload.diff > > > This is a patch from Julien Sentier on the mailing list that makes ICMP > payloads available at the scripting layer. Is there a reason this isn't > already available? I would have committed it to fastpath except I don't know > if it's not already doing this due to the potential overhead of creating a > lot of strings in ICMP floods. At the very least, I suppose it could be > optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows
[ https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-788: - Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Good analysis of unidirectional DNS flows > - > > Key: BIT-788 > URL: https://bro-tracker.atlassian.net/browse/BIT-788 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: git/master >Reporter: juliensentier >Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: > 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch > > > Some use port udp 53 as a source port for dns requests. > And sometimes, we can miss the DNS request. > In this case, we can rely on the DNS field QR to identify the direction of > the flow. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII
[
https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robin Sommer updated BIT-1199:
--
Resolution: Merged (was: Fixed)
Status: Closed (was: Merge Request)
> Better error messages for input file errors in READER_ASCII
> ---
>
> Key: BIT-1199
> URL: https://bro-tracker.atlassian.net/browse/BIT-1199
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
>Reporter: Vlad Grigorescu
>Assignee: Robin Sommer
> Fix For: 2.4
>
> Attachments: test.intel
>
>
> This came up on the mailing list a few weeks ago. If one tries to load the
> attached file as Intelligence, Bro will error out, with:
> {code}
> internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var
> size: 0
> {code}
> The attached file contains an extra tab after downloader.com.
> It'd be nice if Bro would tell you that this was an issue with the input
> reader, which file it occurred in, and a line number.
> I think generally speaking, if there's an issue with an input file, it'd be
> nice to know the line number.
> (Also, there's a typo in mappimg in the error message that's currently
> displayed).
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/dtls
[ https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1347: -- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Please merge topic/johanna/dtls > --- > > Key: BIT-1347 > URL: https://bro-tracker.atlassian.net/browse/BIT-1347 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Johanna Amann >Assignee: Robin Sommer > Labels: dtls, ssl > Fix For: 2.4 > > > Please merge topic/johanna/dtls > First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is > mostly handled just like SSL. It emits the same events and thus works > seamlessly with the current SSL scripts in the Bro core. > Furthermore, it implements TLS record layer defragmentation for the TLS > Handshake protocol enabling us e.g. to deal with connections containing large > certificates. > The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS > analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer > use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B
[ https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1313: -- Resolution: Merged Status: Closed (was: Open) > Add help and all options to -B > --- > > Key: BIT-1313 > URL: https://bro-tracker.atlassian.net/browse/BIT-1313 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Reporter: jdonnelly >Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: log.diff > > > Expand -B to include all,help, and list all the various debug trace points : > #/usr/local/bro/bin/bro -B poo > fatal error: unknown debug stream poo, try -B help. > # /usr/local/bro/bin/bro -B help > Options may be separated by "," > all > help > serial > rules > comm > state > chunkedio > compressor > string > notifiers > main-loop > dpd > tm > logging > input > threading > file_analysis > plugins > broxygen > pktio -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores
[
https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robin Sommer updated BIT-1324:
--
Resolution: Merged (was: Fixed)
Status: Closed (was: Merge Request)
> default_path_func does weird things to underscores
> --
>
> Key: BIT-1324
> URL: https://bro-tracker.atlassian.net/browse/BIT-1324
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
>Reporter: Justin Azoff
>Assignee: Robin Sommer
>Priority: Low
> Labels: logging
> Fix For: 2.4
>
>
> The following script creates a
> {noformat}
> foo__b_ar.log
> {noformat}
>
> instead of the expected {noformat}foo_bar{noformat}
> {code}
> module FOO_BAR;
> export {
> redef enum Log::ID += { LOG };
> type Info: record {
> ts: time &log;
> msg: string &log;
> };
> }
> event bro_init() {
> Log::create_stream(LOG, [$columns=Info]);
> local l = [$ts = network_time(), $msg="hello"];
> Log::write(LOG, l);
> print "Logged";
> }
> {code}
> The problem is in script land in default_path_func
> {code}
> local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4);
> print module_parts;
> {code}
> outputs
> {code}
> [FOO, _B, AR]
> {code}
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B
[ https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20107#comment-20107 ] Robin Sommer commented on BIT-1313: --- Adapted and merged in 1dbc5ed523700c5c > Add help and all options to -B > --- > > Key: BIT-1313 > URL: https://bro-tracker.atlassian.net/browse/BIT-1313 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Reporter: jdonnelly >Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: log.diff > > > Expand -B to include all,help, and list all the various debug trace points : > #/usr/local/bro/bin/bro -B poo > fatal error: unknown debug stream poo, try -B help. > # /usr/local/bro/bin/bro -B help > Options may be separated by "," > all > help > serial > rules > comm > state > chunkedio > compressor > string > notifiers > main-loop > dpd > tm > logging > input > threading > file_analysis > plugins > broxygen > pktio -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time
Hi, On Mon, Mar 23, 2015 at 03:33:13PM -0500, Daniel Thayer wrote: > I'm glad to hear that you're testing broctl on FreeBSD (I always > test on Linux). Here are my initial ideas: > How many hosts are in your cluster? (you mentioned "28 physical nodes", > does that mean 28 computers?!) It is 28 computers, each running 3 bro worker processes with 2 more physical machines running the master and proxies. > Are you running the git master version of broctl? it is not quite master - it currently is running 5e2defe, so the state as of March 13th. > Is every broctl command slow, or just status and top? All the ones that I tried are slow. I can upgrade to master and test again - I just wanted to ask if there is some way to debug what is going on before restarting the cluster, since the problem took a few days to manifest itself. Hence I probably will not be able to directly reproduce it :) > The broctl status command usually spends most of its time > waiting for broccoli. I've added a new option that you > can set in your etc/broctl.cfg file that will skip > the broccoli code so that broctl status runs much faster. > To enable this feature, make sure this line is in your > broctl.cfg file: > StatusCmdShowAll = 0 > (after you add this, broctl will say that you have to run > either "install" or "deploy", but you don't actually > need to for this particular broctl option). I added this (without running install / depoloy) and it now is now faster, but still takes a while. I examined spool/debug.log a bit and it actually seems that a significant period of time is spent getting the process status. The timeline currently looks like this: 23 Mar 11:53:05 [broctl] status 23 Mar 11:53:05 [broctl] Getting process status ... 23 Mar 11:53:05 [execute] blade26: /xa/bro/master/share/broctl/scripts/helpers/check-pid 2513 [...] (many lines like this and many exit code lines) 23 Mar 11:54:07 [execute] blade15: exit code 0 23 Mar 11:54:07 [execute] blade26: /xa/bro/master/share/broctl/scripts/helpers/cat-file /xa/bro/master/spool/worker-26-0/.startup [...] 23 Mar 11:54:09 [execute] blade15: exit code 0 23 Mar 11:54:09 [events] broccoli: Control::peer_status_request() to node worker-26-0 [...] 23 Mar 11:54:29 [events] broccoli: Control::peer_status_response(1427136868.812806 [...] -> status output Johanna ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time
On Mon, Mar 23, 2015 at 04:15:12PM -0500, Daniel Thayer wrote: > When you do a broctl status, does it show a status line for every Bro > node in your cluster? Yes, it does. At least I think so, the number is quite large :) > How are you running broctl status: > 1) just by typing "broctl status", or > 2) by running "broctl", then type the "status" command at the BroControl > prompt. I run broctl first and then type status. > When you run "broctl status", it must establish an ssh session to > every remote machine, which could take awhile when there are 28 > machines. However, when you run just "broctl", then type "status" > at the BroControl prompt, it keeps the ssh sessions open, so the 2nd > time you type "status" should be faster than the 1st time (because > the 2nd time it doesn't need to do the ssh connections). There does not seem to be a big speed difference between the first time and the second time status is run. Johanna ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
