date:20150403

[Bro-Dev] [Auto] Merge Status

2015-04-03 Thread Merge Tracker


Open Merge Requests
===

IDComponentReporter   Assignee  Updated   For 
Version  PrioritySummary
  ---  -    --  
-  --  
BIT-1362 [1]  BroControl   Daniel Thayer  Justin Azoff  2015-04-01
2.4  Normal  topic/dnthayer/fixes-for-2.4 [2]


Open GitHub Pull Requests
=

IssueComponentUser Updated Title
---  ---  ---  --  
--
#29 [3]  bro  jshlbrd [4]  2015-03-25  Add PROXY-AUTHORIZATION header 
to http.log [5]
#28 [6]  bro  aeppert [7]  2015-03-20  Seems to fix a case where an 
entry in the table may be null on insert. [8]


[1]  BIT-1362 
https://bro-tracker.atlassian.net/browse/BIT-1362
[2]  fixes-for-2.4
https://github.com/bro/brocontrol/tree/topic/dnthayer/fixes-for-2.4
[3]  Pull Request #29 https://github.com/bro/bro/pull/29
[4]  jshlbrd  https://github.com/jshlbrd
[5]  Merge Pull Request #29 with  git pull --no-ff --no-commit 
https://github.com/jshlbrd/bro.git patch-2
[6]  Pull Request #28 https://github.com/bro/bro/pull/28
[7]  aeppert  https://github.com/aeppert
[8]  Merge Pull Request #28 with  git pull --no-ff --no-commit 
https://github.com/aeppert/bro.git master

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1364:
-

Assignee: Jon Siwek

 Bro does not attach UDP analyzers when signature matches after first packet
 ---

 Key: BIT-1364
 URL: https://bro-tracker.atlassian.net/browse/BIT-1364
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Jon Siwek
Priority: Low
 Fix For: 2.4

 Attachments: f1.pcap, f2.pcap


 At the moment, Bro only seems to attach UDP analyzers based on signatures, if 
 the very first UDP packet matches the signature. Even if later UDP packets 
 match the signature, the analyzer is not attached.
 The attachments contain a test case. f1.pcap contains a DTLS connection with 
 a few STUN packets that are sent first, which is not recognized as DTLS. 
 f2.pcap contains the same connection with the first few packets missing.
 It would probably be nice if one could at least opt to attach analyzers at a 
 later time too, if a signature matches. (I know that 2.4 is probably a bit 
 optimistic for this).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1355) Hitting crl+c in broctl gives ugly output

2015-04-03 Thread Robin Sommer (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20223#comment-20223
 ] 

Robin Sommer commented on BIT-1355:
---

Part of BIT-1362.

 Hitting crl+c in broctl gives ugly output
 -

 Key: BIT-1355
 URL: https://bro-tracker.atlassian.net/browse/BIT-1355
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
 Fix For: 2.4


 Hitting ctrl+c in broctl results in an ugly stack-trace at the moment:
 {code}
 $ broctl
 warning: new bro version detected (run the broctl deploy command)
 Welcome to BroControl 1.3-162
 Type help for help.
 [BroControl]  Traceback (most recent call last):
   File /xa/bro/master/bin/broctl, line 777, in module
 sys.exit(main())
   File /xa/bro/master/bin/broctl, line 772, in main
 cmdsuccess = loop.cmdloop(\nWelcome to BroControl %s\n\nType \help\ 
 for help.\n % version.VERSION)
   File /xa/bro/master/lib/broctl/BroControl/brocmd.py, line 36, in cmdloop
 line = py3bro.input(self.prompt)
 KeyboardInterrupt
 $
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1355) Hitting crl+c in broctl gives ugly output

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1355:
--
Resolution: Fixed
Status: Closed  (was: Open)

 Hitting crl+c in broctl gives ugly output
 -

 Key: BIT-1355
 URL: https://bro-tracker.atlassian.net/browse/BIT-1355
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
 Fix For: 2.4


 Hitting ctrl+c in broctl results in an ugly stack-trace at the moment:
 {code}
 $ broctl
 warning: new bro version detected (run the broctl deploy command)
 Welcome to BroControl 1.3-162
 Type help for help.
 [BroControl]  Traceback (most recent call last):
   File /xa/bro/master/bin/broctl, line 777, in module
 sys.exit(main())
   File /xa/bro/master/bin/broctl, line 772, in main
 cmdsuccess = loop.cmdloop(\nWelcome to BroControl %s\n\nType \help\ 
 for help.\n % version.VERSION)
   File /xa/bro/master/lib/broctl/BroControl/brocmd.py, line 36, in cmdloop
 line = py3bro.input(self.prompt)
 KeyboardInterrupt
 $
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger

2015-04-03 Thread Robin Sommer (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20228#comment-20228
 ] 

Robin Sommer commented on BIT-1329:
---

Fixed in BIT-1362.

 BroControl scripts displays meta-information from bro logger
 

 Key: BIT-1329
 URL: https://bro-tracker.atlassian.net/browse/BIT-1329
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
 Fix For: 2.4


 When issuing a broctl scripts, the output contains meta bro-log-lines (like 
 #fields, etc) that we probably do not want to display in this case.
 Example:
 {code}
 [BroControl]  scripts manager
 manager scripts are ok.
   #separator \x09
   #set_separator  ,
   #empty_field(empty)
   #unset_field-
   #path   loaded_scripts
   #open   2015-03-05-13-24-34
   #fields name
   #types  string
   /xa/bro/master/share/bro/base/init-bare.bro
 /xa/bro/master/share/bro/base/bif/const.bif.bro
 ...
   /xa/bro/master/share/bro/broctl/check.bro
   #close  2015-03-05-13-24-34
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-631) Special message for broctl locking when done by cron

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-631:
-
Resolution: Fixed
Status: Closed  (was: Open)

 Special message for broctl locking when done by cron
 

 Key: BIT-631
 URL: https://bro-tracker.atlassian.net/browse/BIT-631
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: BroControl
Reporter: Seth Hall
Assignee: Daniel Thayer
 Fix For: 2.4


 If the broctl lock is being held by the cron command it would be nice if the 
 message that indicates a lock is already held would indicate if it is the 
 cron command.  If multiple people are working with broctl the person that 
 gets a lock doesn't know if it's because of another user or because they 
 happened to be trying to do something while the cron command is running.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-931) Ascii writer does not escape empty sets / vectors

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-931?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-931:
-
Fix Version/s: (was: 2.4)
   2.5

 Ascii writer does not escape empty sets / vectors
 -

 Key: BIT-931
 URL: https://bro-tracker.atlassian.net/browse/BIT-931
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Seth Hall
 Fix For: 2.5


 The script
 {noformat}
 redef LogAscii::empty_field = EMPTY;
 module SSH;
 export {
   redef enum Log::ID += { LOG };
   type Log: record {
   ss: set[string];
   } log;
 }
 event bro_init()
 {
   Log::create_stream(SSH::LOG, [$columns=Log]);
   Log::write(SSH::LOG, [
   $ss=set(EMPTY)
   ]);
 }
 {noformat}
 Outputs the line
 {noformat}
 EMPTY
 {noformat} 
 to a log-file. This makes it impossible to distinguish a line containing 
 EMPTY from a line containing an empty set.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1368) File type identification fixes

2015-04-03 Thread Seth Hall (JIRA)

Seth Hall created BIT-1368:
--

 Summary: File type identification fixes
 Key: BIT-1368
 URL: https://bro-tracker.atlassian.net/browse/BIT-1368
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.4
Reporter: Seth Hall
Assignee: Seth Hall


I have some changes nearly queued up for 2.4 release in the repository 
(topic/seth/more-file-type-ident-fixes) in the but a bit more work needs to be 
done.

There may be one more breaking change to the files api coming in this branch 
too.  Jon and I discussed some options and I think that creating a new event 
named file_sniff in place of the file_mime_type event makes sense.  We can put 
the mime type and more sniff originated data in a record on that event so 
that we can extend it cleanly (and without breaking APIs) in the future.  I 
think it will look something like this:

```
type fa_sniff: record {
## Depth sniffed.
depth: count default=0;
## Sniffed mime type if one was discovered.
mime_type: string optional;
};

event file_sniff(f: fa_file, sniff: fa_sniff)
{
if ( sniff?$mime_type )
{
print sniff$mime_type;
}
}
```

One other thing this branch will address is a performance degradation from 
certain file signatures interacting with each other poorly.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1367) Type clashing problem when records with default values are used in sets.

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1367:
-

Assignee: Robin Sommer

 Type clashing problem when records with default values are used in sets.
 

 Key: BIT-1367
 URL: https://bro-tracker.atlassian.net/browse/BIT-1367
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Robin Sommer
  Labels: logging
 Fix For: 2.4


 topic/johanna/sft-port is a branch that contains a slight modification to the 
 sftp log-rotator, adding the possibility to select the server port with a 
 default value of 20.
 After adding this small change, the Bro type system is no longer able to 
 figure out that it can coerce the record in cases that previously worked. The 
 default evocation of the sftp log-rotator using:
 {code}
 Log::add_filter(Conn::LOG, [$name=test, $path=testconn, 
 $writer=Log::WRITER_ASCII,
   $interv=1hr, $postprocessor=Log::sftp_postprocessor]);
   Log::sftp_destinations[Log::WRITER_ASCII,testconn] = 
 set([$user=testuser,$host=testhost,$path=testpath]);
 {code}
 or similar leads to
 {code}
 type clash in assignment (Log::sftp_destinations[Log::WRITER_ASCII, testconn] 
 = set([$user=testuser, $host=testhost, $path=testpath]))
 {code}
 Directly specifying the type of the record works, but would break all other 
 scripts that are using the sftp log rotator currently.
 Working example:
 {code}
 Log::add_filter(Conn::LOG, [$name=test, $path=testconn, 
 $writer=Log::WRITER_ASCII,
   $interv=1hr, $postprocessor=Log::sftp_postprocessor]);
   Log::sftp_destinations[Log::WRITER_ASCII,testconn] = 
 set(Log::SFTPDestination($user=testuser,$host=testhost,$path=testpath));
 {code}
 Once this is fixed, topic/johanna/sft-port can be merged.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1367) Type clashing problem when records with default values are used in sets.

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1367:
-

Assignee: Jon Siwek  (was: Robin Sommer)

 Type clashing problem when records with default values are used in sets.
 

 Key: BIT-1367
 URL: https://bro-tracker.atlassian.net/browse/BIT-1367
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Jon Siwek
  Labels: logging
 Fix For: 2.4


 topic/johanna/sft-port is a branch that contains a slight modification to the 
 sftp log-rotator, adding the possibility to select the server port with a 
 default value of 20.
 After adding this small change, the Bro type system is no longer able to 
 figure out that it can coerce the record in cases that previously worked. The 
 default evocation of the sftp log-rotator using:
 {code}
 Log::add_filter(Conn::LOG, [$name=test, $path=testconn, 
 $writer=Log::WRITER_ASCII,
   $interv=1hr, $postprocessor=Log::sftp_postprocessor]);
   Log::sftp_destinations[Log::WRITER_ASCII,testconn] = 
 set([$user=testuser,$host=testhost,$path=testpath]);
 {code}
 or similar leads to
 {code}
 type clash in assignment (Log::sftp_destinations[Log::WRITER_ASCII, testconn] 
 = set([$user=testuser, $host=testhost, $path=testpath]))
 {code}
 Directly specifying the type of the record works, but would break all other 
 scripts that are using the sftp log rotator currently.
 Working example:
 {code}
 Log::add_filter(Conn::LOG, [$name=test, $path=testconn, 
 $writer=Log::WRITER_ASCII,
   $interv=1hr, $postprocessor=Log::sftp_postprocessor]);
   Log::sftp_destinations[Log::WRITER_ASCII,testconn] = 
 set(Log::SFTPDestination($user=testuser,$host=testhost,$path=testpath));
 {code}
 Once this is fixed, topic/johanna/sft-port can be merged.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1360) Better error message when SpoolDir does not exist

2015-04-03 Thread Robin Sommer (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20221#comment-20221
 ] 

Robin Sommer commented on BIT-1360:
---

Included in BIT-1362

 Better error message when SpoolDir does not exist
 -

 Key: BIT-1360
 URL: https://bro-tracker.atlassian.net/browse/BIT-1360
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
Priority: Low
 Fix For: 2.4


 Currently, the error message that is given when SpoolDir in broctl.cfg does 
 not exist is rather unhelpful (something in the direction of Cannot open 
 database.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1342) Occasional test failures

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1342:
-

Assignee: Daniel Thayer

 Occasional test failures
 

 Key: BIT-1342
 URL: https://bro-tracker.atlassian.net/browse/BIT-1342
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Reporter: Robin Sommer
Assignee: Daniel Thayer
 Fix For: 2.4


 Two tests in current master fail for me occasionally (usually when I run the 
 full broctl test-suite but not when I rerun just these failing tests). Diag 
 output below.
 {code}
 command.start-stop-standalone ... failed
   % 'btest-diff stop.out' failed unexpectedly (exit code 1)
   % cat .diag
   == File ===
   stopping bro ...
   Exception in thread Thread-1 (most likely raised during interpreter 
 shutdown):
   Traceback (most recent call last):
   File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner
   File 
 /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
  line
   File 
 /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
  line
   File /usr/lib64/python2.7/Queue.py, line 177, in get
   File /usr/lib64/python2.7/threading.py, line 354, in wait
   type 'exceptions.TypeError': 'NoneType' object is not callable
   == Diff ===
   --- 
 /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-stop-standalone/stop.out
  2013-06-01 00:29:07.
   +++ stop.out  2015-03-17 22:50:01.857838625 +
   @@ -1 +1,9 @@
   stopping bro ...
   +Exception in thread Thread-1 (most likely raised during interpreter 
 shutdown):
   +Traceback (most recent call last):
   +  File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner
   +  File 
 /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
  l
   +  File 
 /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py,
  l
   +  File /usr/lib64/python2.7/Queue.py, line 177, in get
   +  File /usr/lib64/python2.7/threading.py, line 354, in wait
   +type 'exceptions.TypeError': 'NoneType' object is not callable
   ===
 [...]
 command.start-cluster-slowstart ... failed
   % 'btest-diff status2.out' failed unexpectedly (exit code 1)
   % cat .diag
   == File ===
   Getting process status ...
   Getting peer status ...
   Name TypeHost StatusPidPeers  Started
   manager  manager localhoststopped
   proxy-1  proxy   localhoststopped
   worker-1 worker  localhoststopped
   worker-2 worker  localhoststopped
   == Diff ===
   --- 
 /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-cluster-slowstart/status2.out
 2015-03-04 20:16
   +++ status2.out   2015-03-17 22:50:26.578618684 +
   @@ -3,5 +3,5 @@
   Name TypeHost StatusPidPeers  Started
   manager  manager localhoststopped
   proxy-1  proxy   localhoststopped
   -worker-1 worker  localhostcrashed
   +worker-1 worker  localhoststopped
   worker-2 worker  localhoststopped
   ===
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1336:
-

Assignee: Seth Hall

 ElasticSearch indices in UTC
 

 Key: BIT-1336
 URL: https://bro-tracker.atlassian.net/browse/BIT-1336
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: 2.4
Reporter: Vlad Grigorescu
Assignee: Seth Hall
Priority: Trivial
 Fix For: 2.4


 For improved compatibility with Kibana and other ElasticSearch frontends, the 
 timestamps on the Bro indices should be changed to UTC.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1329:
--
Resolution: Fixed
Status: Closed  (was: Reopened)

 BroControl scripts displays meta-information from bro logger
 

 Key: BIT-1329
 URL: https://bro-tracker.atlassian.net/browse/BIT-1329
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
 Fix For: 2.4


 When issuing a broctl scripts, the output contains meta bro-log-lines (like 
 #fields, etc) that we probably do not want to display in this case.
 Example:
 {code}
 [BroControl]  scripts manager
 manager scripts are ok.
   #separator \x09
   #set_separator  ,
   #empty_field(empty)
   #unset_field-
   #path   loaded_scripts
   #open   2015-03-05-13-24-34
   #fields name
   #types  string
   /xa/bro/master/share/bro/base/init-bare.bro
 /xa/bro/master/share/bro/base/bif/const.bif.bro
 ...
   /xa/bro/master/share/bro/broctl/check.bro
   #close  2015-03-05-13-24-34
 {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

2015-04-03 Thread Vlad Grigorescu (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vlad Grigorescu updated BIT-1369:
-
Fix Version/s: 2.4

 Kerberos Analyzer
 -

 Key: BIT-1369
 URL: https://bro-tracker.atlassian.net/browse/BIT-1369
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: 2.4
Reporter: Vlad Grigorescu
Assignee: Vlad Grigorescu
 Fix For: 2.4


 topic/vladg/kerberos has a Kerberos analyzer.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1364:
--
Priority: Low  (was: Normal)

 Bro does not attach UDP analyzers when signature matches after first packet
 ---

 Key: BIT-1364
 URL: https://bro-tracker.atlassian.net/browse/BIT-1364
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Priority: Low
 Fix For: 2.4

 Attachments: f1.pcap, f2.pcap


 At the moment, Bro only seems to attach UDP analyzers based on signatures, if 
 the very first UDP packet matches the signature. Even if later UDP packets 
 match the signature, the analyzer is not attached.
 The attachments contain a test case. f1.pcap contains a DTLS connection with 
 a few STUN packets that are sent first, which is not recognized as DTLS. 
 f2.pcap contains the same connection with the first few packets missing.
 It would probably be nice if one could at least opt to attach analyzers at a 
 later time too, if a signature matches. (I know that 2.4 is probably a bit 
 optimistic for this).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-04-03 Thread Robin Sommer (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20226#comment-20226
 ] 

Robin Sommer commented on BIT-1339:
---

Turns out this needs more discussion, as the right solution isn't quite clear 
yet.

 Remove src and dst from notice
 --

 Key: BIT-1339
 URL: https://bro-tracker.atlassian.net/browse/BIT-1339
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Seth Hall
Assignee: Seth Hall
 Fix For: 2.5


 Email from Brian Kellog...
 Related to this, I'm planning on deprecating $src and $dst from notices and 
 removing their use from all shipped Bro scripts.
 {quote}
 I'm going through and updating the NOTICEs for different detection scripts 
 built into Bro.  Trying to get the generated NOTICE logs set correctly for 
 ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
 appropriate way.  Couple questions:
 Is this the best way to accomplish this task?  Secondly, if advisable, how do 
 we get these script changes incorporated into Bro base?  I'm not that 
 experienced with git but willing to learn more if needed.  These changes were 
 made, again, to benefit ELSA searching/grouping and for the Bro correlation 
 script recently released.
 Here's what I changed/add to some of the built-in detection scripts (Lines 
 with + are what I changed/added):
 /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
 NOTICE([$note=Password_Guessing,
$msg=fmt(%s appears to be guessing SSH passwords (seen in %d 
 connections)., key$host, r$num),
$sub=sub_msg,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
 NOTICE([$note=FTP::Bruteforcing,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
 NOTICE([$note=SQL_Injection_Attacker,
$msg=An SQL injection attacker was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=SQL_Injection_Victim,
$msg=An SQL injection victim was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/scan.bro
 NOTICE([$note=Address_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
 +   #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=Port_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
 +   #$dst=to_addr(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
 NOTICE([$note=Traceroute::Detected,
$msg=fmt(%s seems to be running traceroute using %s, src, 
 proto),
 +   #$src=src,
 +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
$identifier=cat(src,proto)]);
 }]);
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1339:
--
Fix Version/s: (was: 2.4)
   2.5

 Remove src and dst from notice
 --

 Key: BIT-1339
 URL: https://bro-tracker.atlassian.net/browse/BIT-1339
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Seth Hall
Assignee: Seth Hall
 Fix For: 2.5


 Email from Brian Kellog...
 Related to this, I'm planning on deprecating $src and $dst from notices and 
 removing their use from all shipped Bro scripts.
 {quote}
 I'm going through and updating the NOTICEs for different detection scripts 
 built into Bro.  Trying to get the generated NOTICE logs set correctly for 
 ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
 appropriate way.  Couple questions:
 Is this the best way to accomplish this task?  Secondly, if advisable, how do 
 we get these script changes incorporated into Bro base?  I'm not that 
 experienced with git but willing to learn more if needed.  These changes were 
 made, again, to benefit ELSA searching/grouping and for the Bro correlation 
 script recently released.
 Here's what I changed/add to some of the built-in detection scripts (Lines 
 with + are what I changed/added):
 /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
 NOTICE([$note=Password_Guessing,
$msg=fmt(%s appears to be guessing SSH passwords (seen in %d 
 connections)., key$host, r$num),
$sub=sub_msg,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
 NOTICE([$note=FTP::Bruteforcing,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
 NOTICE([$note=SQL_Injection_Attacker,
$msg=An SQL injection attacker was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=SQL_Injection_Victim,
$msg=An SQL injection victim was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/scan.bro
 NOTICE([$note=Address_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
 +   #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=Port_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
 +   #$dst=to_addr(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
 NOTICE([$note=Traceroute::Detected,
$msg=fmt(%s seems to be running traceroute using %s, src, 
 proto),
 +   #$src=src,
 +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
$identifier=cat(src,proto)]);
 }]);
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1368) File type identification fixes

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1368:
--
Fix Version/s: 2.4

 File type identification fixes
 --

 Key: BIT-1368
 URL: https://bro-tracker.atlassian.net/browse/BIT-1368
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: 2.4
Reporter: Seth Hall
Assignee: Seth Hall
 Fix For: 2.4


 I have some changes nearly queued up for 2.4 release in the repository 
 (topic/seth/more-file-type-ident-fixes) in the but a bit more work needs to 
 be done.
 There may be one more breaking change to the files api coming in this branch 
 too.  Jon and I discussed some options and I think that creating a new event 
 named file_sniff in place of the file_mime_type event makes sense.  We can 
 put the mime type and more sniff originated data in a record on that event 
 so that we can extend it cleanly (and without breaking APIs) in the future.  
 I think it will look something like this:
 ```
 type fa_sniff: record {
 ## Depth sniffed.
 depth: count default=0;
 ## Sniffed mime type if one was discovered.
 mime_type: string optional;
 };
 event file_sniff(f: fa_file, sniff: fa_sniff)
 {
 if ( sniff?$mime_type )
 {
 print sniff$mime_type;
 }
 }
 ```
 One other thing this branch will address is a performance degradation from 
 certain file signatures interacting with each other poorly.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1365:
-

Assignee: Vlad Grigorescu

 direction field of SSH::Info no longer populated
 

 Key: BIT-1365
 URL: https://bro-tracker.atlassian.net/browse/BIT-1365
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Jon Siwek
Assignee: Vlad Grigorescu
 Fix For: 2.4


 Here's the bug report:
 {quote}
 Reporter::ERROR   field value missing
 [SSH::c$ssh$direction]
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-da
 ta.bro, line 29
 Reporter::WARNING non-void function returns without a value:
 SSH::get_location (empty)
 Tracing this back, it looks like the SSH::c$ssh$direction is not being
 populated. I checked the /base/protocols/ssh/main.bro file and it looks
 like the function is missing.
 Looking at https://www.bro.org/sphinx/_downloads/main32.bro and
 https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro
 it looks like the function that determined the direction was removed at
 one point, which looks like it causes the
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1360) Better error message when SpoolDir does not exist

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1360:
--
Resolution: Fixed
Status: Closed  (was: Open)

 Better error message when SpoolDir does not exist
 -

 Key: BIT-1360
 URL: https://bro-tracker.atlassian.net/browse/BIT-1360
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
Priority: Low
 Fix For: 2.4


 Currently, the error message that is given when SpoolDir in broctl.cfg does 
 not exist is rather unhelpful (something in the direction of Cannot open 
 database.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer

2015-04-03 Thread Aashish Sharma (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20222#comment-20222
 ] 

Aashish Sharma commented on BIT-1370:
-

I've been running vlad's branch (2443d319112fd345878766618951c56c2fd65fbd) for 
a long while and for all practical purposes, its been running stable and 
blocking sip scanners and logging sip sessions. 

There are a couple unknown_SIP_method (SUBSCRIBE and  NOTIFY) in weird logs.  I 
will send vlad pcaps for these specific ones. At present, I don't know if these 
are affecting anything per se. 



 SIP Analyzer
 

 Key: BIT-1370
 URL: https://bro-tracker.atlassian.net/browse/BIT-1370
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: 2.4
Reporter: Vlad Grigorescu
Assignee: Vlad Grigorescu

 topic/vladg/sip has a SIP analyzer.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1349) Broctl stop output is not sorted anymore

2015-04-03 Thread Robin Sommer (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20225#comment-20225
 ] 

Robin Sommer commented on BIT-1349:
---

Fixed in BIT-1362.

 Broctl stop output is not sorted anymore
 

 Key: BIT-1349
 URL: https://bro-tracker.atlassian.net/browse/BIT-1349
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
Priority: Trivial
 Fix For: 2.4


 Minor: the output of the worker nodes when doing broctl stop is not sorted 
 anymore. We should either sort it (or just skip outputting it altogether) - 
 at the moment it is not really useful; if there is no numerical order it is 
 difficult to see if a number one wants to have in there is missing or not.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1339:
-

Assignee: (was: Seth Hall)

 Remove src and dst from notice
 --

 Key: BIT-1339
 URL: https://bro-tracker.atlassian.net/browse/BIT-1339
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Seth Hall
 Fix For: 2.5


 Email from Brian Kellog...
 Related to this, I'm planning on deprecating $src and $dst from notices and 
 removing their use from all shipped Bro scripts.
 {quote}
 I'm going through and updating the NOTICEs for different detection scripts 
 built into Bro.  Trying to get the generated NOTICE logs set correctly for 
 ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
 appropriate way.  Couple questions:
 Is this the best way to accomplish this task?  Secondly, if advisable, how do 
 we get these script changes incorporated into Bro base?  I'm not that 
 experienced with git but willing to learn more if needed.  These changes were 
 made, again, to benefit ELSA searching/grouping and for the Bro correlation 
 script recently released.
 Here's what I changed/add to some of the built-in detection scripts (Lines 
 with + are what I changed/added):
 /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
 NOTICE([$note=Password_Guessing,
$msg=fmt(%s appears to be guessing SSH passwords (seen in %d 
 connections)., key$host, r$num),
$sub=sub_msg,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
 NOTICE([$note=FTP::Bruteforcing,
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
 NOTICE([$note=SQL_Injection_Attacker,
$msg=An SQL injection attacker was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=SQL_Injection_Victim,
$msg=An SQL injection victim was discovered!,
$email_body_sections=vector(format_sqli_samples(r$samples)),
 +   #$src=key$host,
 +   
 $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
 +   $sub=cat(format_sqli_samples(r$samples)),
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/scan.bro
 NOTICE([$note=Address_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
 +   #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 …
 NOTICE([$note=Port_Scan,
#$src=key$host,
 +   
 $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
 +   #$dst=to_addr(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
 }]);
 /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
 NOTICE([$note=Traceroute::Detected,
$msg=fmt(%s seems to be running traceroute using %s, src, 
 proto),
 +   #$src=src,
 +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
$identifier=cat(src,proto)]);
 }]);
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers

2015-04-03 Thread Robin Sommer (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20230#comment-20230
 ] 

Robin Sommer commented on BIT-1306:
---

Check the change.

 bro process would get stuck/freeze with myricom drivers
 ---

 Key: BIT-1306
 URL: https://bro-tracker.atlassian.net/browse/BIT-1306
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
 Environment:  OS: FreeBSD 9.3-RELEASE-p5 OS
 bro version 2.3-328
 git log -1 --format=%H
 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f
Reporter: Aashish Sharma
  Labels: bro-git, myricom
 Fix For: 2.4


 When I stop bro (in cluster mode), one of the bro worker process (random) 
 would get stuck and wouldn't shutdown, stop or even be killed using kill -s 
 9. 
 System has to be ultimately rebooted to remove stuck bro process. 
 On running  myri_start_stop I see:
 # /usr/local/opt/snf/sbin/myri_start_stop stop
 Removing myri_snf.ko
 kldunload: can't unload file: Device busy
 It appears that the myri_snf.ko driver cannot be unloaded because of the 
 stuck bro process.  That process still has an open descriptor on the Sniffer 
 device/driver and bro process freezes 
 More details:
 The bro process is stuck in RNE state
 R   Marks a runnable process.
 N   The process has reduced CPU scheduling priority (see setpriority(2)).
 E   The process is trying to exit.
 Here is an example:
 ### stuck process:
 [bro@01 ~]$ ps auxwww | fgrep 1616
 bro1616  100.0  0.0 758040 60480 ??  RNE   2:57PM   53:50.04 
 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p 
 local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro 
 broctl/auto
 when checking for process in proc:
 [bro@c ~]$ ls -l /proc/1616
 ls: /proc/1616: No such file or directory



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1306:
-

Assignee: Robin Sommer

 bro process would get stuck/freeze with myricom drivers
 ---

 Key: BIT-1306
 URL: https://bro-tracker.atlassian.net/browse/BIT-1306
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
 Environment:  OS: FreeBSD 9.3-RELEASE-p5 OS
 bro version 2.3-328
 git log -1 --format=%H
 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f
Reporter: Aashish Sharma
Assignee: Robin Sommer
  Labels: bro-git, myricom
 Fix For: 2.4


 When I stop bro (in cluster mode), one of the bro worker process (random) 
 would get stuck and wouldn't shutdown, stop or even be killed using kill -s 
 9. 
 System has to be ultimately rebooted to remove stuck bro process. 
 On running  myri_start_stop I see:
 # /usr/local/opt/snf/sbin/myri_start_stop stop
 Removing myri_snf.ko
 kldunload: can't unload file: Device busy
 It appears that the myri_snf.ko driver cannot be unloaded because of the 
 stuck bro process.  That process still has an open descriptor on the Sniffer 
 device/driver and bro process freezes 
 More details:
 The bro process is stuck in RNE state
 R   Marks a runnable process.
 N   The process has reduced CPU scheduling priority (see setpriority(2)).
 E   The process is trying to exit.
 Here is an example:
 ### stuck process:
 [bro@01 ~]$ ps auxwww | fgrep 1616
 bro1616  100.0  0.0 758040 60480 ??  RNE   2:57PM   53:50.04 
 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p 
 local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro 
 broctl/auto
 when checking for process in proc:
 [bro@c ~]$ ls -l /proc/1616
 ls: /proc/1616: No such file or directory



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer

2015-04-03 Thread Vlad Grigorescu (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vlad Grigorescu updated BIT-1370:
-
Fix Version/s: 2.4

 SIP Analyzer
 

 Key: BIT-1370
 URL: https://bro-tracker.atlassian.net/browse/BIT-1370
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: 2.4
Reporter: Vlad Grigorescu
Assignee: Vlad Grigorescu
 Fix For: 2.4


 topic/vladg/sip has a SIP analyzer.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer

2015-04-03 Thread Vlad Grigorescu (JIRA)

Vlad Grigorescu created BIT-1370:


 Summary: SIP Analyzer
 Key: BIT-1370
 URL: https://bro-tracker.atlassian.net/browse/BIT-1370
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: 2.4
Reporter: Vlad Grigorescu
Assignee: Vlad Grigorescu


topic/vladg/sip has a SIP analyzer.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1331:
--
Priority: Normal  (was: Low)

 Bro manager crashes when logs rotate
 

 Key: BIT-1331
 URL: https://bro-tracker.atlassian.net/browse/BIT-1331
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master, 2.4
 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method
Reporter: Josh Liburdi
 Fix For: 2.4


 The Bro manager crashes when the logs rotate. Workers run fine through this 
 process. 
 stderr.log output:
 internal error: finish missing
 /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted 
 (core dumped) nohup $mybro $@
 send-mail: SENDMAIL-NOTFOUND not found



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-947) Incorrect size calculation for SSH failed/successful heuristic

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-947:
-
Resolution: Fixed
Status: Closed  (was: Open)

 Incorrect size calculation for SSH failed/successful heuristic
 --

 Key: BIT-947
 URL: https://bro-tracker.atlassian.net/browse/BIT-947
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Vlad Grigorescu
Priority: Low
 Fix For: 2.4


 We're getting a lot of false positives for successful SSH logins from a 
 source that we recently blackholed. I suspect what's happening is that the 
 retransmissions keep bumping up the size of the connection, until it crosses 
 the threshold for a successful connection. 
 With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it 
 possible to improve the accuracy of the reported size?



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-947) Incorrect size calculation for SSH failed/successful heuristic

2015-04-03 Thread Robin Sommer (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20232#comment-20232
 ] 

Robin Sommer commented on BIT-947:
--

Should be fixed with new SSH code.

 Incorrect size calculation for SSH failed/successful heuristic
 --

 Key: BIT-947
 URL: https://bro-tracker.atlassian.net/browse/BIT-947
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Vlad Grigorescu
Priority: Low
 Fix For: 2.4


 We're getting a lot of false positives for successful SSH logins from a 
 source that we recently blackholed. I suspect what's happening is that the 
 retransmissions keep bumping up the size of the connection, until it crosses 
 the threshold for a successful connection. 
 With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it 
 possible to improve the accuracy of the reported size?



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1365:
--
Priority: Low  (was: Normal)

 direction field of SSH::Info no longer populated
 

 Key: BIT-1365
 URL: https://bro-tracker.atlassian.net/browse/BIT-1365
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Jon Siwek
Assignee: Vlad Grigorescu
Priority: Low
 Fix For: 2.4


 Here's the bug report:
 {quote}
 Reporter::ERROR   field value missing
 [SSH::c$ssh$direction]
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-da
 ta.bro, line 29
 Reporter::WARNING non-void function returns without a value:
 SSH::get_location (empty)
 Tracing this back, it looks like the SSH::c$ssh$direction is not being
 populated. I checked the /base/protocols/ssh/main.bro file and it looks
 like the function is missing.
 Looking at https://www.bro.org/sphinx/_downloads/main32.bro and
 https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro
 it looks like the function that determined the direction was removed at
 one point, which looks like it causes the
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1365:
--
Priority: Normal  (was: Low)

 direction field of SSH::Info no longer populated
 

 Key: BIT-1365
 URL: https://bro-tracker.atlassian.net/browse/BIT-1365
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Jon Siwek
Assignee: Vlad Grigorescu
 Fix For: 2.4


 Here's the bug report:
 {quote}
 Reporter::ERROR   field value missing
 [SSH::c$ssh$direction]
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-da
 ta.bro, line 29
 Reporter::WARNING non-void function returns without a value:
 SSH::get_location (empty)
 Tracing this back, it looks like the SSH::c$ssh$direction is not being
 populated. I checked the /base/protocols/ssh/main.bro file and it looks
 like the function is missing.
 Looking at https://www.bro.org/sphinx/_downloads/main32.bro and
 https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro
 it looks like the function that determined the direction was removed at
 one point, which looks like it causes the
 /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail
 {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time

2015-04-03 Thread Robin Sommer (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20224#comment-20224
 ] 

Robin Sommer commented on BIT-1353:
---

set timeout to 30s and make configurable, revisit later when Broker is there

 BroCtl status/top take excessive amount of time
 ---

 Key: BIT-1353
 URL: https://bro-tracker.atlassian.net/browse/BIT-1353
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
 Fix For: 2.4


 After running a large bro cluster for a few days on a FreeBSD system (FreeBSD 
 10.1, 28 physical nodes, 81 worker processes), broctl actions that interact 
 with all nodes seem to take excessive amounts of time (2 minutes for a 
 broctl status). This was not the case right after starting up the cluster.
 If there is any way I can help with more information, please let me know what 
 to do.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1331:
--
Priority: Low  (was: High)

 Bro manager crashes when logs rotate
 

 Key: BIT-1331
 URL: https://bro-tracker.atlassian.net/browse/BIT-1331
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master, 2.4
 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method
Reporter: Josh Liburdi
Priority: Low
 Fix For: 2.4


 The Bro manager crashes when the logs rotate. Workers run fine through this 
 process. 
 stderr.log output:
 internal error: finish missing
 /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted 
 (core dumped) nohup $mybro $@
 send-mail: SENDMAIL-NOTFOUND not found



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error'

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1337:
-

Assignee: Vlad Grigorescu

 Bro worker crash - terminate after 'std::length_error'
 --

 Key: BIT-1337
 URL: https://bro-tracker.atlassian.net/browse/BIT-1337
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Josh Liburdi
Assignee: Vlad Grigorescu
 Fix For: 2.4


 Running Bro master with the Kerberos and RDP analyzer branches resulted in 
 one crashed worker on a pf_ring cluster. BroControl diag results below:
 terminate called after throwing an instance of 'std::length_error'
 what():  basic_string::_S_create
 /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted  
(core dumped) nohup $mybro $@



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error'

2015-04-03 Thread Robin Sommer (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20227#comment-20227
 ] 

Robin Sommer commented on BIT-1337:
---

Let's do a quick sanity check of the code.

 Bro worker crash - terminate after 'std::length_error'
 --

 Key: BIT-1337
 URL: https://bro-tracker.atlassian.net/browse/BIT-1337
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Josh Liburdi
 Fix For: 2.4


 Running Bro master with the Kerberos and RDP analyzer branches resulted in 
 one crashed worker on a pf_ring cluster. BroControl diag results below:
 terminate called after throwing an instance of 'std::length_error'
 what():  basic_string::_S_create
 /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted  
(core dumped) nohup $mybro $@



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

2015-04-03 Thread Johanna Amann (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20231#comment-20231
 ] 

Johanna Amann commented on BIT-1363:


I am not sure we can do this easily, because we need something that makes sure 
that the same flows always go to the same bro workers... this seems like it 
might be a job for packet-bricks or similar and not for Bro.

 Clustered AF_PACKET support
 ---

 Key: BIT-1363
 URL: https://bro-tracker.atlassian.net/browse/BIT-1363
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: git/master
Reporter: Michal Purzynski

 Let's have a support for packet capture with the AF_PACKET sockets in multi 
 worker configuration.
 Bro can use a single worker with af_packet, I have tested and it works, but 
 having a direct support for multi-worker load balancing would allow to avoid 
 the pf_ring for many deployments with the traffic level where DNA / ZC / 
 Myricom / DAG is not required.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1154) Formatters restructed in: topic/seth/json-formatter

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1154:
-

Assignee: Seth Hall

 Formatters restructed in: topic/seth/json-formatter
 ---

 Key: BIT-1154
 URL: https://bro-tracker.atlassian.net/browse/BIT-1154
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: 2.4
Reporter: Seth Hall
Assignee: Seth Hall
 Fix For: 2.4


 topic/seth/json-formatter has an abstraction for Formatters and I created a 
 formatters directory under threading.  There is also a new JSON formatter and 
 support in the Ascii and ElasticSearch writers for the JSON formatter.
 I went ahead and threw in per-filter configuration options for the Ascii 
 writer for all of the options that were exposed globally too.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

2015-04-03 Thread Seth Hall (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20220#comment-20220
 ] 

Seth Hall commented on BIT-1363:


How did you test it?  Did you write a new packet source plugin?

 Clustered AF_PACKET support
 ---

 Key: BIT-1363
 URL: https://bro-tracker.atlassian.net/browse/BIT-1363
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: git/master
Reporter: Michal Purzynski

 Let's have a support for packet capture with the AF_PACKET sockets in multi 
 worker configuration.
 Bro can use a single worker with af_packet, I have tested and it works, but 
 having a direct support for multi-worker load balancing would allow to avoid 
 the pf_ring for many deployments with the traffic level where DNA / ZC / 
 Myricom / DAG is not required.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

2015-04-03 Thread Vlad Grigorescu (JIRA)

Vlad Grigorescu created BIT-1369:


 Summary: Kerberos Analyzer
 Key: BIT-1369
 URL: https://bro-tracker.atlassian.net/browse/BIT-1369
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: 2.4
Reporter: Vlad Grigorescu
Assignee: Vlad Grigorescu


topic/vladg/kerberos has a Kerberos analyzer.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1263:
--
Fix Version/s: (was: 2.4)
   2.5

 Implementing three event handlers for supported data structure in Modbus 
 Analyzer
 -

 Key: BIT-1263
 URL: https://bro-tracker.atlassian.net/browse/BIT-1263
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Reporter: hui
Priority: Low
  Labels: analyzer, modbus
 Fix For: 2.5


 Three support data structures are defined in Modbus analyzer:
 FileRecordRequest,
 FileRecordResponse,
 ReferenceWithData
 Three event handlers are declared for them. 
 The changes are already made and pushed into the branch:
 topic/hui/modbus-events2



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1345) Crash due to a bad dictionary insert

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1345:
-

Assignee: Jon Siwek

 Crash due to a bad dictionary insert
 

 Key: BIT-1345
 URL: https://bro-tracker.atlassian.net/browse/BIT-1345
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Reporter: Aaron Eppert
Assignee: Jon Siwek
Priority: High
 Fix For: 2.4


 #0  0x00713b87 in Dictionary::Insert (this=0x1339840, 
 new_entry=0xb18a9d0, copy_key=0) at /root/redacted/bro/src/Dict.cc:419
 #1  0x007130b0 in Dictionary::Insert (this=0x1339840, key=0xa23f6d0, 
 key_size=36, hash=658668102, val=0x67fde40, copy_key=0) at 
 /root/redacted/bro/src/Dict.cc:158
 #2  0x006cb508 in Dictionary::Insert (this=0x1339840, 
 key=0x74ba81b0, val=0x67fde40) at /root/redacted/bro/src/Dict.h:47
 #3  0x0077ee9b in IDPDict::Insert (this=0x1339840, key=0xebf780 
 #redacted-redacted.redacted.redacted#21703#1182, val=0x67fde40) at 
 /root/redacted/bro/src/Scope.h:18
 #4  0x0077ef05 in Scope::Insert (this=0x133a8b0, name=0xebf780 
 #redacted-redacted.redacted.redacted#21703#1182, id=0x67fde40) at 
 /root/redacted/bro/src/Scope.h:26
 #5  0x008010cc in MutableVal::Bind (this=0x14f451f0) at 
 /root/redacted/bro/src/Val.cc:624
 #6  0x00800ec8 in MutableVal::AddProperties (this=0x14f451f0, 
 arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:558
 #7  0x0080a8d6 in RecordVal::AddProperties (this=0x14f451f0, 
 arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:2866
 #8  0x00805948 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, 
 k=0x0, new_val=0x14f451f0, op=OP_ASSIGN) at 
 /root/redacted/bro/src/Val.cc:1502
 #9  0x00805501 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, 
 new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1442
 #10 0x00738b13 in IndexExpr::Assign (this=0x2087350, f=0x12073280, 
 v=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:3135
 #11 0x007362a2 in RefExpr::Assign (this=0x2087540, f=0x12073280, 
 v=0x14f451f0, opcode=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:2463
 #12 0x007370ea in AssignExpr::Eval (this=0x20874d0, f=0x12073280) at 
 /root/redacted/bro/src/Expr.cc:2673
 #13 0x007e22bb in ExprStmt::Exec (this=0x2087660, f=0x12073280, 
 flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:369
 #14 0x007e8375 in StmtList::Exec (this=0x2082c80, f=0x12073280, 
 flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:1764
 #15 0x0074e6cd in BroFunc::Call (this=0x2087e70, args=0x13525bb0, 
 parent=0x0) at /root/redacted/bro/src/Func.cc:386
 #16 0x00725883 in EventHandler::Call (this=0x2082160, vl=0x13525bb0, 
 no_remote=false) at /root/redacted/bro/src/EventHandler.cc:80
 #17 0x006d8cc2 in Event::Dispatch (this=0x620e610, no_remote=false) 
 at /root/redacted/bro/src/Event.h:50
 #18 0x00724ef7 in EventMgr::Dispatch (this=0xebd400) at 
 /root/redacted/bro/src/Event.cc:111
 #19 0x00725032 in EventMgr::Drain (this=0xebd400) at 
 /root/redacted/bro/src/Event.cc:128
 #20 0x00788828 in net_packet_dispatch (t=1426626559.98401, 
 hdr=0x3314d40, pkt=0x7f14a8b464cc Address 0x7f14a8b464cc out of bounds, 
 hdr_size=14, src_ps=0x3314c00)
 at /root/redacted/bro/src/Net.cc:278
 #21 0x00a786d5 in iosource::PktSrc::Process (this=0x3314c00) at 
 /root/redacted/bro/src/iosource/PktSrc.cc:411
 #22 0x007889f8 in net_run () at /root/redacted/bro/src/Net.cc:320
 #23 0x006d8157 in main (argc=20, argv=0x74ba9188) at 
 /root/redacted/bro/src/main.cc:1200



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1352) Certificate validation script does not deal well with root-certs being sent by server

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1352:
--
Fix Version/s: (was: 2.4)
   2.5

 Certificate validation script does not deal well with root-certs being sent 
 by server
 -

 Key: BIT-1352
 URL: https://bro-tracker.atlassian.net/browse/BIT-1352
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Johanna Amann
 Fix For: 2.5


 Currently, the validate-certs script in policy does not deal well with 
 certain certificate chains, where the trust-anchor is being sent by the 
 server. We should be able to fix this by removing the trust-anchor 
 automatically from the chain; solving this might potentially change the way 
 root-certs are currently being loaded into Bro.
 Example server: access.redhat.com



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1349) Broctl stop output is not sorted anymore

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1349:
--
Resolution: Fixed
Status: Closed  (was: Open)

 Broctl stop output is not sorted anymore
 

 Key: BIT-1349
 URL: https://bro-tracker.atlassian.net/browse/BIT-1349
 Project: Bro Issue Tracker
  Issue Type: Problem
  Components: BroControl
Affects Versions: git/master
Reporter: Johanna Amann
Assignee: Daniel Thayer
Priority: Trivial
 Fix For: 2.4


 Minor: the output of the worker nodes when doing broctl stop is not sorted 
 anymore. We should either sort it (or just skip outputting it altogether) - 
 at the moment it is not really useful; if there is no numerical order it is 
 difficult to see if a number one wants to have in there is missing or not.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

2015-04-03 Thread Michal Purzynski (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20229#comment-20229
 ] 

Michal Purzynski commented on BIT-1363:
---

No, I used unmodified Bro 2.3 and started it on a router with a configuration 
like this

[manager]
type=manager
host=172.19.254.254

[proxy-1]
type=proxy
host=172.19.254.254

[nsm1-eth0]
type=worker
host=172.19.254.254
interface=eth0

Bro starts with a single worker and logs are generated.

Name TypeHost StatusPidPeers  Started
manager  manager 172.19.254.254   running   16784  2  20 Feb 23:45:34
proxy-1  proxy   172.19.254.254   running   16824  2  20 Feb 23:45:36
nsm1-eth0worker  172.19.254.254   running   16849  2  20 Feb 23:45:38


 Clustered AF_PACKET support
 ---

 Key: BIT-1363
 URL: https://bro-tracker.atlassian.net/browse/BIT-1363
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: git/master
Reporter: Michal Purzynski

 Let's have a support for packet capture with the AF_PACKET sockets in multi 
 worker configuration.
 Bro can use a single worker with af_packet, I have tested and it works, but 
 having a direct support for multi-worker load balancing would allow to avoid 
 the pf_ring for many deployments with the traffic level where DNA / ZC / 
 Myricom / DAG is not required.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

2015-04-03 Thread Michal Purzynski (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20237#comment-20237
 ] 

Michal Purzynski commented on BIT-1363:
---

http://man7.org/linux/man-pages/man7/packet.7.html

PACKET_FANOUT_HASH, sends packets from
 the same flow to the same socket to maintain per-flow
 ordering.  For each packet, it chooses a socket by taking
 the packet flow hash modulo the number of sockets in the
 group, where a flow hash is a hash over network-layer
 address and optional transport-layer port fields.

So each process would need to create a socket and join the same group of 
sockets with setsockopt() and begin receiving packets.
FANOUT_HASH has even an optional defragmenting support.

 Clustered AF_PACKET support
 ---

 Key: BIT-1363
 URL: https://bro-tracker.atlassian.net/browse/BIT-1363
 Project: Bro Issue Tracker
  Issue Type: New Feature
  Components: Bro
Affects Versions: git/master
Reporter: Michal Purzynski

 Let's have a support for packet capture with the AF_PACKET sockets in multi 
 worker configuration.
 Bro can use a single worker with af_packet, I have tested and it works, but 
 having a direct support for multi-worker load balancing would allow to avoid 
 the pf_ring for many deployments with the traffic level where DNA / ZC / 
 Myricom / DAG is not required.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

47 matches

Mail list logo