[Bro-Dev] [Auto] Merge Status
Open Merge Requests === IDComponentReporter Assignee Updated For Version PrioritySummary --- - -- - -- BIT-1362 [1] BroControl Daniel Thayer Justin Azoff 2015-04-01 2.4 Normal topic/dnthayer/fixes-for-2.4 [2] Open GitHub Pull Requests = IssueComponentUser Updated Title --- --- --- -- -- #29 [3] bro jshlbrd [4] 2015-03-25 Add PROXY-AUTHORIZATION header to http.log [5] #28 [6] bro aeppert [7] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [8] [1] BIT-1362 https://bro-tracker.atlassian.net/browse/BIT-1362 [2] fixes-for-2.4 https://github.com/bro/brocontrol/tree/topic/dnthayer/fixes-for-2.4 [3] Pull Request #29 https://github.com/bro/bro/pull/29 [4] jshlbrd https://github.com/jshlbrd [5] Merge Pull Request #29 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git patch-2 [6] Pull Request #28 https://github.com/bro/bro/pull/28 [7] aeppert https://github.com/aeppert [8] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet
[ https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1364: - Assignee: Jon Siwek Bro does not attach UDP analyzers when signature matches after first packet --- Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Jon Siwek Priority: Low Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1355) Hitting crl+c in broctl gives ugly output
[ https://bro-tracker.atlassian.net/browse/BIT-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20223#comment-20223 ] Robin Sommer commented on BIT-1355: --- Part of BIT-1362. Hitting crl+c in broctl gives ugly output - Key: BIT-1355 URL: https://bro-tracker.atlassian.net/browse/BIT-1355 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 Hitting ctrl+c in broctl results in an ugly stack-trace at the moment: {code} $ broctl warning: new bro version detected (run the broctl deploy command) Welcome to BroControl 1.3-162 Type help for help. [BroControl] Traceback (most recent call last): File /xa/bro/master/bin/broctl, line 777, in module sys.exit(main()) File /xa/bro/master/bin/broctl, line 772, in main cmdsuccess = loop.cmdloop(\nWelcome to BroControl %s\n\nType \help\ for help.\n % version.VERSION) File /xa/bro/master/lib/broctl/BroControl/brocmd.py, line 36, in cmdloop line = py3bro.input(self.prompt) KeyboardInterrupt $ {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1355) Hitting crl+c in broctl gives ugly output
[ https://bro-tracker.atlassian.net/browse/BIT-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1355: -- Resolution: Fixed Status: Closed (was: Open) Hitting crl+c in broctl gives ugly output - Key: BIT-1355 URL: https://bro-tracker.atlassian.net/browse/BIT-1355 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 Hitting ctrl+c in broctl results in an ugly stack-trace at the moment: {code} $ broctl warning: new bro version detected (run the broctl deploy command) Welcome to BroControl 1.3-162 Type help for help. [BroControl] Traceback (most recent call last): File /xa/bro/master/bin/broctl, line 777, in module sys.exit(main()) File /xa/bro/master/bin/broctl, line 772, in main cmdsuccess = loop.cmdloop(\nWelcome to BroControl %s\n\nType \help\ for help.\n % version.VERSION) File /xa/bro/master/lib/broctl/BroControl/brocmd.py, line 36, in cmdloop line = py3bro.input(self.prompt) KeyboardInterrupt $ {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger
[ https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20228#comment-20228 ] Robin Sommer commented on BIT-1329: --- Fixed in BIT-1362. BroControl scripts displays meta-information from bro logger Key: BIT-1329 URL: https://bro-tracker.atlassian.net/browse/BIT-1329 Project: Bro Issue Tracker Issue Type: New Feature Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 When issuing a broctl scripts, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. Example: {code} [BroControl] scripts manager manager scripts are ok. #separator \x09 #set_separator , #empty_field(empty) #unset_field- #path loaded_scripts #open 2015-03-05-13-24-34 #fields name #types string /xa/bro/master/share/bro/base/init-bare.bro /xa/bro/master/share/bro/base/bif/const.bif.bro ... /xa/bro/master/share/bro/broctl/check.bro #close 2015-03-05-13-24-34 {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-631) Special message for broctl locking when done by cron
[ https://bro-tracker.atlassian.net/browse/BIT-631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-631: - Resolution: Fixed Status: Closed (was: Open) Special message for broctl locking when done by cron Key: BIT-631 URL: https://bro-tracker.atlassian.net/browse/BIT-631 Project: Bro Issue Tracker Issue Type: New Feature Components: BroControl Reporter: Seth Hall Assignee: Daniel Thayer Fix For: 2.4 If the broctl lock is being held by the cron command it would be nice if the message that indicates a lock is already held would indicate if it is the cron command. If multiple people are working with broctl the person that gets a lock doesn't know if it's because of another user or because they happened to be trying to do something while the cron command is running. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-931) Ascii writer does not escape empty sets / vectors
[ https://bro-tracker.atlassian.net/browse/BIT-931?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-931: - Fix Version/s: (was: 2.4) 2.5 Ascii writer does not escape empty sets / vectors - Key: BIT-931 URL: https://bro-tracker.atlassian.net/browse/BIT-931 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Seth Hall Fix For: 2.5 The script {noformat} redef LogAscii::empty_field = EMPTY; module SSH; export { redef enum Log::ID += { LOG }; type Log: record { ss: set[string]; } log; } event bro_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::write(SSH::LOG, [ $ss=set(EMPTY) ]); } {noformat} Outputs the line {noformat} EMPTY {noformat} to a log-file. This makes it impossible to distinguish a line containing EMPTY from a line containing an empty set. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1368) File type identification fixes
Seth Hall created BIT-1368: -- Summary: File type identification fixes Key: BIT-1368 URL: https://bro-tracker.atlassian.net/browse/BIT-1368 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Seth Hall Assignee: Seth Hall I have some changes nearly queued up for 2.4 release in the repository (topic/seth/more-file-type-ident-fixes) in the but a bit more work needs to be done. There may be one more breaking change to the files api coming in this branch too. Jon and I discussed some options and I think that creating a new event named file_sniff in place of the file_mime_type event makes sense. We can put the mime type and more sniff originated data in a record on that event so that we can extend it cleanly (and without breaking APIs) in the future. I think it will look something like this: ``` type fa_sniff: record { ## Depth sniffed. depth: count default=0; ## Sniffed mime type if one was discovered. mime_type: string optional; }; event file_sniff(f: fa_file, sniff: fa_sniff) { if ( sniff?$mime_type ) { print sniff$mime_type; } } ``` One other thing this branch will address is a performance degradation from certain file signatures interacting with each other poorly. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1367) Type clashing problem when records with default values are used in sets.
[ https://bro-tracker.atlassian.net/browse/BIT-1367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1367: - Assignee: Robin Sommer Type clashing problem when records with default values are used in sets. Key: BIT-1367 URL: https://bro-tracker.atlassian.net/browse/BIT-1367 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Robin Sommer Labels: logging Fix For: 2.4 topic/johanna/sft-port is a branch that contains a slight modification to the sftp log-rotator, adding the possibility to select the server port with a default value of 20. After adding this small change, the Bro type system is no longer able to figure out that it can coerce the record in cases that previously worked. The default evocation of the sftp log-rotator using: {code} Log::add_filter(Conn::LOG, [$name=test, $path=testconn, $writer=Log::WRITER_ASCII, $interv=1hr, $postprocessor=Log::sftp_postprocessor]); Log::sftp_destinations[Log::WRITER_ASCII,testconn] = set([$user=testuser,$host=testhost,$path=testpath]); {code} or similar leads to {code} type clash in assignment (Log::sftp_destinations[Log::WRITER_ASCII, testconn] = set([$user=testuser, $host=testhost, $path=testpath])) {code} Directly specifying the type of the record works, but would break all other scripts that are using the sftp log rotator currently. Working example: {code} Log::add_filter(Conn::LOG, [$name=test, $path=testconn, $writer=Log::WRITER_ASCII, $interv=1hr, $postprocessor=Log::sftp_postprocessor]); Log::sftp_destinations[Log::WRITER_ASCII,testconn] = set(Log::SFTPDestination($user=testuser,$host=testhost,$path=testpath)); {code} Once this is fixed, topic/johanna/sft-port can be merged. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1367) Type clashing problem when records with default values are used in sets.
[ https://bro-tracker.atlassian.net/browse/BIT-1367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1367: - Assignee: Jon Siwek (was: Robin Sommer) Type clashing problem when records with default values are used in sets. Key: BIT-1367 URL: https://bro-tracker.atlassian.net/browse/BIT-1367 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Jon Siwek Labels: logging Fix For: 2.4 topic/johanna/sft-port is a branch that contains a slight modification to the sftp log-rotator, adding the possibility to select the server port with a default value of 20. After adding this small change, the Bro type system is no longer able to figure out that it can coerce the record in cases that previously worked. The default evocation of the sftp log-rotator using: {code} Log::add_filter(Conn::LOG, [$name=test, $path=testconn, $writer=Log::WRITER_ASCII, $interv=1hr, $postprocessor=Log::sftp_postprocessor]); Log::sftp_destinations[Log::WRITER_ASCII,testconn] = set([$user=testuser,$host=testhost,$path=testpath]); {code} or similar leads to {code} type clash in assignment (Log::sftp_destinations[Log::WRITER_ASCII, testconn] = set([$user=testuser, $host=testhost, $path=testpath])) {code} Directly specifying the type of the record works, but would break all other scripts that are using the sftp log rotator currently. Working example: {code} Log::add_filter(Conn::LOG, [$name=test, $path=testconn, $writer=Log::WRITER_ASCII, $interv=1hr, $postprocessor=Log::sftp_postprocessor]); Log::sftp_destinations[Log::WRITER_ASCII,testconn] = set(Log::SFTPDestination($user=testuser,$host=testhost,$path=testpath)); {code} Once this is fixed, topic/johanna/sft-port can be merged. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1360) Better error message when SpoolDir does not exist
[ https://bro-tracker.atlassian.net/browse/BIT-1360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20221#comment-20221 ] Robin Sommer commented on BIT-1360: --- Included in BIT-1362 Better error message when SpoolDir does not exist - Key: BIT-1360 URL: https://bro-tracker.atlassian.net/browse/BIT-1360 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Priority: Low Fix For: 2.4 Currently, the error message that is given when SpoolDir in broctl.cfg does not exist is rather unhelpful (something in the direction of Cannot open database. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1342) Occasional test failures
[ https://bro-tracker.atlassian.net/browse/BIT-1342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1342: - Assignee: Daniel Thayer Occasional test failures Key: BIT-1342 URL: https://bro-tracker.atlassian.net/browse/BIT-1342 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Robin Sommer Assignee: Daniel Thayer Fix For: 2.4 Two tests in current master fail for me occasionally (usually when I run the full broctl test-suite but not when I rerun just these failing tests). Diag output below. {code} command.start-stop-standalone ... failed % 'btest-diff stop.out' failed unexpectedly (exit code 1) % cat .diag == File === stopping bro ... Exception in thread Thread-1 (most likely raised during interpreter shutdown): Traceback (most recent call last): File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, line File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, line File /usr/lib64/python2.7/Queue.py, line 177, in get File /usr/lib64/python2.7/threading.py, line 354, in wait type 'exceptions.TypeError': 'NoneType' object is not callable == Diff === --- /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-stop-standalone/stop.out 2013-06-01 00:29:07. +++ stop.out 2015-03-17 22:50:01.857838625 + @@ -1 +1,9 @@ stopping bro ... +Exception in thread Thread-1 (most likely raised during interpreter shutdown): +Traceback (most recent call last): + File /usr/lib64/python2.7/threading.py, line 811, in __bootstrap_inner + File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, l + File /home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py, l + File /usr/lib64/python2.7/Queue.py, line 177, in get + File /usr/lib64/python2.7/threading.py, line 354, in wait +type 'exceptions.TypeError': 'NoneType' object is not callable === [...] command.start-cluster-slowstart ... failed % 'btest-diff status2.out' failed unexpectedly (exit code 1) % cat .diag == File === Getting process status ... Getting peer status ... Name TypeHost StatusPidPeers Started manager manager localhoststopped proxy-1 proxy localhoststopped worker-1 worker localhoststopped worker-2 worker localhoststopped == Diff === --- /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-cluster-slowstart/status2.out 2015-03-04 20:16 +++ status2.out 2015-03-17 22:50:26.578618684 + @@ -3,5 +3,5 @@ Name TypeHost StatusPidPeers Started manager manager localhoststopped proxy-1 proxy localhoststopped -worker-1 worker localhostcrashed +worker-1 worker localhoststopped worker-2 worker localhoststopped === {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC
[ https://bro-tracker.atlassian.net/browse/BIT-1336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1336: - Assignee: Seth Hall ElasticSearch indices in UTC Key: BIT-1336 URL: https://bro-tracker.atlassian.net/browse/BIT-1336 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Seth Hall Priority: Trivial Fix For: 2.4 For improved compatibility with Kibana and other ElasticSearch frontends, the timestamps on the Bro indices should be changed to UTC. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger
[ https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1329: -- Resolution: Fixed Status: Closed (was: Reopened) BroControl scripts displays meta-information from bro logger Key: BIT-1329 URL: https://bro-tracker.atlassian.net/browse/BIT-1329 Project: Bro Issue Tracker Issue Type: New Feature Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 When issuing a broctl scripts, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. Example: {code} [BroControl] scripts manager manager scripts are ok. #separator \x09 #set_separator , #empty_field(empty) #unset_field- #path loaded_scripts #open 2015-03-05-13-24-34 #fields name #types string /xa/bro/master/share/bro/base/init-bare.bro /xa/bro/master/share/bro/base/bif/const.bif.bro ... /xa/bro/master/share/bro/broctl/check.bro #close 2015-03-05-13-24-34 {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1369: - Fix Version/s: 2.4 Kerberos Analyzer - Key: BIT-1369 URL: https://bro-tracker.atlassian.net/browse/BIT-1369 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Vlad Grigorescu Fix For: 2.4 topic/vladg/kerberos has a Kerberos analyzer. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet
[ https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1364: -- Priority: Low (was: Normal) Bro does not attach UDP analyzers when signature matches after first packet --- Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Priority: Low Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20226#comment-20226 ] Robin Sommer commented on BIT-1339: --- Turns out this needs more discussion, as the right solution isn't quite clear yet. Remove src and dst from notice -- Key: BIT-1339 URL: https://bro-tracker.atlassian.net/browse/BIT-1339 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Seth Hall Assignee: Seth Hall Fix For: 2.5 Email from Brian Kellog... Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. {quote} I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. Here's what I changed/add to some of the built-in detection scripts (Lines with + are what I changed/added): /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro NOTICE([$note=Password_Guessing, $msg=fmt(%s appears to be guessing SSH passwords (seen in %d connections)., key$host, r$num), $sub=sub_msg, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro NOTICE([$note=FTP::Bruteforcing, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro NOTICE([$note=SQL_Injection_Attacker, $msg=An SQL injection attacker was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); … NOTICE([$note=SQL_Injection_Victim, $msg=An SQL injection victim was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/scan.bro NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); … NOTICE([$note=Port_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], + #$dst=to_addr(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro NOTICE([$note=Traceroute::Detected, $msg=fmt(%s seems to be running traceroute using %s, src, proto), + #$src=src, + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], $identifier=cat(src,proto)]); }]); {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1339: -- Fix Version/s: (was: 2.4) 2.5 Remove src and dst from notice -- Key: BIT-1339 URL: https://bro-tracker.atlassian.net/browse/BIT-1339 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Seth Hall Assignee: Seth Hall Fix For: 2.5 Email from Brian Kellog... Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. {quote} I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. Here's what I changed/add to some of the built-in detection scripts (Lines with + are what I changed/added): /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro NOTICE([$note=Password_Guessing, $msg=fmt(%s appears to be guessing SSH passwords (seen in %d connections)., key$host, r$num), $sub=sub_msg, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro NOTICE([$note=FTP::Bruteforcing, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro NOTICE([$note=SQL_Injection_Attacker, $msg=An SQL injection attacker was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); … NOTICE([$note=SQL_Injection_Victim, $msg=An SQL injection victim was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/scan.bro NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); … NOTICE([$note=Port_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], + #$dst=to_addr(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro NOTICE([$note=Traceroute::Detected, $msg=fmt(%s seems to be running traceroute using %s, src, proto), + #$src=src, + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], $identifier=cat(src,proto)]); }]); {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1368) File type identification fixes
[ https://bro-tracker.atlassian.net/browse/BIT-1368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1368: -- Fix Version/s: 2.4 File type identification fixes -- Key: BIT-1368 URL: https://bro-tracker.atlassian.net/browse/BIT-1368 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Seth Hall Assignee: Seth Hall Fix For: 2.4 I have some changes nearly queued up for 2.4 release in the repository (topic/seth/more-file-type-ident-fixes) in the but a bit more work needs to be done. There may be one more breaking change to the files api coming in this branch too. Jon and I discussed some options and I think that creating a new event named file_sniff in place of the file_mime_type event makes sense. We can put the mime type and more sniff originated data in a record on that event so that we can extend it cleanly (and without breaking APIs) in the future. I think it will look something like this: ``` type fa_sniff: record { ## Depth sniffed. depth: count default=0; ## Sniffed mime type if one was discovered. mime_type: string optional; }; event file_sniff(f: fa_file, sniff: fa_sniff) { if ( sniff?$mime_type ) { print sniff$mime_type; } } ``` One other thing this branch will address is a performance degradation from certain file signatures interacting with each other poorly. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated
[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1365: - Assignee: Vlad Grigorescu direction field of SSH::Info no longer populated Key: BIT-1365 URL: https://bro-tracker.atlassian.net/browse/BIT-1365 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Assignee: Vlad Grigorescu Fix For: 2.4 Here's the bug report: {quote} Reporter::ERROR field value missing [SSH::c$ssh$direction] /usr/local/bro/share/bro/policy/protocols/ssh/geo-da ta.bro, line 29 Reporter::WARNING non-void function returns without a value: SSH::get_location (empty) Tracing this back, it looks like the SSH::c$ssh$direction is not being populated. I checked the /base/protocols/ssh/main.bro file and it looks like the function is missing. Looking at https://www.bro.org/sphinx/_downloads/main32.bro and https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro it looks like the function that determined the direction was removed at one point, which looks like it causes the /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1360) Better error message when SpoolDir does not exist
[ https://bro-tracker.atlassian.net/browse/BIT-1360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1360: -- Resolution: Fixed Status: Closed (was: Open) Better error message when SpoolDir does not exist - Key: BIT-1360 URL: https://bro-tracker.atlassian.net/browse/BIT-1360 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Priority: Low Fix For: 2.4 Currently, the error message that is given when SpoolDir in broctl.cfg does not exist is rather unhelpful (something in the direction of Cannot open database. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20222#comment-20222 ] Aashish Sharma commented on BIT-1370: - I've been running vlad's branch (2443d319112fd345878766618951c56c2fd65fbd) for a long while and for all practical purposes, its been running stable and blocking sip scanners and logging sip sessions. There are a couple unknown_SIP_method (SUBSCRIBE and NOTIFY) in weird logs. I will send vlad pcaps for these specific ones. At present, I don't know if these are affecting anything per se. SIP Analyzer Key: BIT-1370 URL: https://bro-tracker.atlassian.net/browse/BIT-1370 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Vlad Grigorescu topic/vladg/sip has a SIP analyzer. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1349) Broctl stop output is not sorted anymore
[ https://bro-tracker.atlassian.net/browse/BIT-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20225#comment-20225 ] Robin Sommer commented on BIT-1349: --- Fixed in BIT-1362. Broctl stop output is not sorted anymore Key: BIT-1349 URL: https://bro-tracker.atlassian.net/browse/BIT-1349 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Priority: Trivial Fix For: 2.4 Minor: the output of the worker nodes when doing broctl stop is not sorted anymore. We should either sort it (or just skip outputting it altogether) - at the moment it is not really useful; if there is no numerical order it is difficult to see if a number one wants to have in there is missing or not. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1339: - Assignee: (was: Seth Hall) Remove src and dst from notice -- Key: BIT-1339 URL: https://bro-tracker.atlassian.net/browse/BIT-1339 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Seth Hall Fix For: 2.5 Email from Brian Kellog... Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. {quote} I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. Here's what I changed/add to some of the built-in detection scripts (Lines with + are what I changed/added): /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro NOTICE([$note=Password_Guessing, $msg=fmt(%s appears to be guessing SSH passwords (seen in %d connections)., key$host, r$num), $sub=sub_msg, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro NOTICE([$note=FTP::Bruteforcing, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro NOTICE([$note=SQL_Injection_Attacker, $msg=An SQL injection attacker was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); … NOTICE([$note=SQL_Injection_Victim, $msg=An SQL injection victim was discovered!, $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/scan.bro NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); … NOTICE([$note=Port_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], + #$dst=to_addr(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro NOTICE([$note=Traceroute::Detected, $msg=fmt(%s seems to be running traceroute using %s, src, proto), + #$src=src, + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], $identifier=cat(src,proto)]); }]); {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers
[ https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20230#comment-20230 ] Robin Sommer commented on BIT-1306: --- Check the change. bro process would get stuck/freeze with myricom drivers --- Key: BIT-1306 URL: https://bro-tracker.atlassian.net/browse/BIT-1306 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Environment: OS: FreeBSD 9.3-RELEASE-p5 OS bro version 2.3-328 git log -1 --format=%H 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f Reporter: Aashish Sharma Labels: bro-git, myricom Fix For: 2.4 When I stop bro (in cluster mode), one of the bro worker process (random) would get stuck and wouldn't shutdown, stop or even be killed using kill -s 9. System has to be ultimately rebooted to remove stuck bro process. On running myri_start_stop I see: # /usr/local/opt/snf/sbin/myri_start_stop stop Removing myri_snf.ko kldunload: can't unload file: Device busy It appears that the myri_snf.ko driver cannot be unloaded because of the stuck bro process. That process still has an open descriptor on the Sniffer device/driver and bro process freezes More details: The bro process is stuck in RNE state R Marks a runnable process. N The process has reduced CPU scheduling priority (see setpriority(2)). E The process is trying to exit. Here is an example: ### stuck process: [bro@01 ~]$ ps auxwww | fgrep 1616 bro1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro broctl/auto when checking for process in proc: [bro@c ~]$ ls -l /proc/1616 ls: /proc/1616: No such file or directory -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers
[ https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1306: - Assignee: Robin Sommer bro process would get stuck/freeze with myricom drivers --- Key: BIT-1306 URL: https://bro-tracker.atlassian.net/browse/BIT-1306 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Environment: OS: FreeBSD 9.3-RELEASE-p5 OS bro version 2.3-328 git log -1 --format=%H 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f Reporter: Aashish Sharma Assignee: Robin Sommer Labels: bro-git, myricom Fix For: 2.4 When I stop bro (in cluster mode), one of the bro worker process (random) would get stuck and wouldn't shutdown, stop or even be killed using kill -s 9. System has to be ultimately rebooted to remove stuck bro process. On running myri_start_stop I see: # /usr/local/opt/snf/sbin/myri_start_stop stop Removing myri_snf.ko kldunload: can't unload file: Device busy It appears that the myri_snf.ko driver cannot be unloaded because of the stuck bro process. That process still has an open descriptor on the Sniffer device/driver and bro process freezes More details: The bro process is stuck in RNE state R Marks a runnable process. N The process has reduced CPU scheduling priority (see setpriority(2)). E The process is trying to exit. Here is an example: ### stuck process: [bro@01 ~]$ ps auxwww | fgrep 1616 bro1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro broctl/auto when checking for process in proc: [bro@c ~]$ ls -l /proc/1616 ls: /proc/1616: No such file or directory -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1370: - Fix Version/s: 2.4 SIP Analyzer Key: BIT-1370 URL: https://bro-tracker.atlassian.net/browse/BIT-1370 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Vlad Grigorescu Fix For: 2.4 topic/vladg/sip has a SIP analyzer. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer
Vlad Grigorescu created BIT-1370: Summary: SIP Analyzer Key: BIT-1370 URL: https://bro-tracker.atlassian.net/browse/BIT-1370 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Vlad Grigorescu topic/vladg/sip has a SIP analyzer. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate
[ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1331: -- Priority: Normal (was: Low) Bro manager crashes when logs rotate Key: BIT-1331 URL: https://bro-tracker.atlassian.net/browse/BIT-1331 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master, 2.4 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method Reporter: Josh Liburdi Fix For: 2.4 The Bro manager crashes when the logs rotate. Workers run fine through this process. stderr.log output: internal error: finish missing /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup $mybro $@ send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-947) Incorrect size calculation for SSH failed/successful heuristic
[ https://bro-tracker.atlassian.net/browse/BIT-947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-947: - Resolution: Fixed Status: Closed (was: Open) Incorrect size calculation for SSH failed/successful heuristic -- Key: BIT-947 URL: https://bro-tracker.atlassian.net/browse/BIT-947 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Vlad Grigorescu Priority: Low Fix For: 2.4 We're getting a lot of false positives for successful SSH logins from a source that we recently blackholed. I suspect what's happening is that the retransmissions keep bumping up the size of the connection, until it crosses the threshold for a successful connection. With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it possible to improve the accuracy of the reported size? -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-947) Incorrect size calculation for SSH failed/successful heuristic
[ https://bro-tracker.atlassian.net/browse/BIT-947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20232#comment-20232 ] Robin Sommer commented on BIT-947: -- Should be fixed with new SSH code. Incorrect size calculation for SSH failed/successful heuristic -- Key: BIT-947 URL: https://bro-tracker.atlassian.net/browse/BIT-947 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Vlad Grigorescu Priority: Low Fix For: 2.4 We're getting a lot of false positives for successful SSH logins from a source that we recently blackholed. I suspect what's happening is that the retransmissions keep bumping up the size of the connection, until it crosses the threshold for a successful connection. With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it possible to improve the accuracy of the reported size? -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated
[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1365: -- Priority: Low (was: Normal) direction field of SSH::Info no longer populated Key: BIT-1365 URL: https://bro-tracker.atlassian.net/browse/BIT-1365 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Assignee: Vlad Grigorescu Priority: Low Fix For: 2.4 Here's the bug report: {quote} Reporter::ERROR field value missing [SSH::c$ssh$direction] /usr/local/bro/share/bro/policy/protocols/ssh/geo-da ta.bro, line 29 Reporter::WARNING non-void function returns without a value: SSH::get_location (empty) Tracing this back, it looks like the SSH::c$ssh$direction is not being populated. I checked the /base/protocols/ssh/main.bro file and it looks like the function is missing. Looking at https://www.bro.org/sphinx/_downloads/main32.bro and https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro it looks like the function that determined the direction was removed at one point, which looks like it causes the /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated
[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1365: -- Priority: Normal (was: Low) direction field of SSH::Info no longer populated Key: BIT-1365 URL: https://bro-tracker.atlassian.net/browse/BIT-1365 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Assignee: Vlad Grigorescu Fix For: 2.4 Here's the bug report: {quote} Reporter::ERROR field value missing [SSH::c$ssh$direction] /usr/local/bro/share/bro/policy/protocols/ssh/geo-da ta.bro, line 29 Reporter::WARNING non-void function returns without a value: SSH::get_location (empty) Tracing this back, it looks like the SSH::c$ssh$direction is not being populated. I checked the /base/protocols/ssh/main.bro file and it looks like the function is missing. Looking at https://www.bro.org/sphinx/_downloads/main32.bro and https://github.com/bro/bro/blob/master/scripts/base/protocols/ssh/main.bro it looks like the function that determined the direction was removed at one point, which looks like it causes the /usr/local/bro/share/bro/policy/protocols/ssh/geo-data.bro script to fail {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time
[ https://bro-tracker.atlassian.net/browse/BIT-1353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20224#comment-20224 ] Robin Sommer commented on BIT-1353: --- set timeout to 30s and make configurable, revisit later when Broker is there BroCtl status/top take excessive amount of time --- Key: BIT-1353 URL: https://bro-tracker.atlassian.net/browse/BIT-1353 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 After running a large bro cluster for a few days on a FreeBSD system (FreeBSD 10.1, 28 physical nodes, 81 worker processes), broctl actions that interact with all nodes seem to take excessive amounts of time (2 minutes for a broctl status). This was not the case right after starting up the cluster. If there is any way I can help with more information, please let me know what to do. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate
[ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1331: -- Priority: Low (was: High) Bro manager crashes when logs rotate Key: BIT-1331 URL: https://bro-tracker.atlassian.net/browse/BIT-1331 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master, 2.4 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method Reporter: Josh Liburdi Priority: Low Fix For: 2.4 The Bro manager crashes when the logs rotate. Workers run fine through this process. stderr.log output: internal error: finish missing /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup $mybro $@ send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error'
[ https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1337: - Assignee: Vlad Grigorescu Bro worker crash - terminate after 'std::length_error' -- Key: BIT-1337 URL: https://bro-tracker.atlassian.net/browse/BIT-1337 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Josh Liburdi Assignee: Vlad Grigorescu Fix For: 2.4 Running Bro master with the Kerberos and RDP analyzer branches resulted in one crashed worker on a pf_ring cluster. BroControl diag results below: terminate called after throwing an instance of 'std::length_error' what(): basic_string::_S_create /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted (core dumped) nohup $mybro $@ -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error'
[ https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20227#comment-20227 ] Robin Sommer commented on BIT-1337: --- Let's do a quick sanity check of the code. Bro worker crash - terminate after 'std::length_error' -- Key: BIT-1337 URL: https://bro-tracker.atlassian.net/browse/BIT-1337 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Josh Liburdi Fix For: 2.4 Running Bro master with the Kerberos and RDP analyzer branches resulted in one crashed worker on a pf_ring cluster. BroControl diag results below: terminate called after throwing an instance of 'std::length_error' what(): basic_string::_S_create /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted (core dumped) nohup $mybro $@ -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support
[ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20231#comment-20231 ] Johanna Amann commented on BIT-1363: I am not sure we can do this easily, because we need something that makes sure that the same flows always go to the same bro workers... this seems like it might be a job for packet-bricks or similar and not for Bro. Clustered AF_PACKET support --- Key: BIT-1363 URL: https://bro-tracker.atlassian.net/browse/BIT-1363 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: git/master Reporter: Michal Purzynski Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1154) Formatters restructed in: topic/seth/json-formatter
[ https://bro-tracker.atlassian.net/browse/BIT-1154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1154: - Assignee: Seth Hall Formatters restructed in: topic/seth/json-formatter --- Key: BIT-1154 URL: https://bro-tracker.atlassian.net/browse/BIT-1154 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: 2.4 Reporter: Seth Hall Assignee: Seth Hall Fix For: 2.4 topic/seth/json-formatter has an abstraction for Formatters and I created a formatters directory under threading. There is also a new JSON formatter and support in the Ascii and ElasticSearch writers for the JSON formatter. I went ahead and threw in per-filter configuration options for the Ascii writer for all of the options that were exposed globally too. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support
[ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20220#comment-20220 ] Seth Hall commented on BIT-1363: How did you test it? Did you write a new packet source plugin? Clustered AF_PACKET support --- Key: BIT-1363 URL: https://bro-tracker.atlassian.net/browse/BIT-1363 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: git/master Reporter: Michal Purzynski Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer
Vlad Grigorescu created BIT-1369: Summary: Kerberos Analyzer Key: BIT-1369 URL: https://bro-tracker.atlassian.net/browse/BIT-1369 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Vlad Grigorescu topic/vladg/kerberos has a Kerberos analyzer. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1263: -- Fix Version/s: (was: 2.4) 2.5 Implementing three event handlers for supported data structure in Modbus Analyzer - Key: BIT-1263 URL: https://bro-tracker.atlassian.net/browse/BIT-1263 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Reporter: hui Priority: Low Labels: analyzer, modbus Fix For: 2.5 Three support data structures are defined in Modbus analyzer: FileRecordRequest, FileRecordResponse, ReferenceWithData Three event handlers are declared for them. The changes are already made and pushed into the branch: topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1345) Crash due to a bad dictionary insert
[ https://bro-tracker.atlassian.net/browse/BIT-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1345: - Assignee: Jon Siwek Crash due to a bad dictionary insert Key: BIT-1345 URL: https://bro-tracker.atlassian.net/browse/BIT-1345 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Aaron Eppert Assignee: Jon Siwek Priority: High Fix For: 2.4 #0 0x00713b87 in Dictionary::Insert (this=0x1339840, new_entry=0xb18a9d0, copy_key=0) at /root/redacted/bro/src/Dict.cc:419 #1 0x007130b0 in Dictionary::Insert (this=0x1339840, key=0xa23f6d0, key_size=36, hash=658668102, val=0x67fde40, copy_key=0) at /root/redacted/bro/src/Dict.cc:158 #2 0x006cb508 in Dictionary::Insert (this=0x1339840, key=0x74ba81b0, val=0x67fde40) at /root/redacted/bro/src/Dict.h:47 #3 0x0077ee9b in IDPDict::Insert (this=0x1339840, key=0xebf780 #redacted-redacted.redacted.redacted#21703#1182, val=0x67fde40) at /root/redacted/bro/src/Scope.h:18 #4 0x0077ef05 in Scope::Insert (this=0x133a8b0, name=0xebf780 #redacted-redacted.redacted.redacted#21703#1182, id=0x67fde40) at /root/redacted/bro/src/Scope.h:26 #5 0x008010cc in MutableVal::Bind (this=0x14f451f0) at /root/redacted/bro/src/Val.cc:624 #6 0x00800ec8 in MutableVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:558 #7 0x0080a8d6 in RecordVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root/redacted/bro/src/Val.cc:2866 #8 0x00805948 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, k=0x0, new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1502 #9 0x00805501 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, new_val=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Val.cc:1442 #10 0x00738b13 in IndexExpr::Assign (this=0x2087350, f=0x12073280, v=0x14f451f0, op=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:3135 #11 0x007362a2 in RefExpr::Assign (this=0x2087540, f=0x12073280, v=0x14f451f0, opcode=OP_ASSIGN) at /root/redacted/bro/src/Expr.cc:2463 #12 0x007370ea in AssignExpr::Eval (this=0x20874d0, f=0x12073280) at /root/redacted/bro/src/Expr.cc:2673 #13 0x007e22bb in ExprStmt::Exec (this=0x2087660, f=0x12073280, flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:369 #14 0x007e8375 in StmtList::Exec (this=0x2082c80, f=0x12073280, flow=@0x74ba8624) at /root/redacted/bro/src/Stmt.cc:1764 #15 0x0074e6cd in BroFunc::Call (this=0x2087e70, args=0x13525bb0, parent=0x0) at /root/redacted/bro/src/Func.cc:386 #16 0x00725883 in EventHandler::Call (this=0x2082160, vl=0x13525bb0, no_remote=false) at /root/redacted/bro/src/EventHandler.cc:80 #17 0x006d8cc2 in Event::Dispatch (this=0x620e610, no_remote=false) at /root/redacted/bro/src/Event.h:50 #18 0x00724ef7 in EventMgr::Dispatch (this=0xebd400) at /root/redacted/bro/src/Event.cc:111 #19 0x00725032 in EventMgr::Drain (this=0xebd400) at /root/redacted/bro/src/Event.cc:128 #20 0x00788828 in net_packet_dispatch (t=1426626559.98401, hdr=0x3314d40, pkt=0x7f14a8b464cc Address 0x7f14a8b464cc out of bounds, hdr_size=14, src_ps=0x3314c00) at /root/redacted/bro/src/Net.cc:278 #21 0x00a786d5 in iosource::PktSrc::Process (this=0x3314c00) at /root/redacted/bro/src/iosource/PktSrc.cc:411 #22 0x007889f8 in net_run () at /root/redacted/bro/src/Net.cc:320 #23 0x006d8157 in main (argc=20, argv=0x74ba9188) at /root/redacted/bro/src/main.cc:1200 -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1352) Certificate validation script does not deal well with root-certs being sent by server
[ https://bro-tracker.atlassian.net/browse/BIT-1352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1352: -- Fix Version/s: (was: 2.4) 2.5 Certificate validation script does not deal well with root-certs being sent by server - Key: BIT-1352 URL: https://bro-tracker.atlassian.net/browse/BIT-1352 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Johanna Amann Fix For: 2.5 Currently, the validate-certs script in policy does not deal well with certain certificate chains, where the trust-anchor is being sent by the server. We should be able to fix this by removing the trust-anchor automatically from the chain; solving this might potentially change the way root-certs are currently being loaded into Bro. Example server: access.redhat.com -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1349) Broctl stop output is not sorted anymore
[ https://bro-tracker.atlassian.net/browse/BIT-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1349: -- Resolution: Fixed Status: Closed (was: Open) Broctl stop output is not sorted anymore Key: BIT-1349 URL: https://bro-tracker.atlassian.net/browse/BIT-1349 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Priority: Trivial Fix For: 2.4 Minor: the output of the worker nodes when doing broctl stop is not sorted anymore. We should either sort it (or just skip outputting it altogether) - at the moment it is not really useful; if there is no numerical order it is difficult to see if a number one wants to have in there is missing or not. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support
[ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20229#comment-20229 ] Michal Purzynski commented on BIT-1363: --- No, I used unmodified Bro 2.3 and started it on a router with a configuration like this [manager] type=manager host=172.19.254.254 [proxy-1] type=proxy host=172.19.254.254 [nsm1-eth0] type=worker host=172.19.254.254 interface=eth0 Bro starts with a single worker and logs are generated. Name TypeHost StatusPidPeers Started manager manager 172.19.254.254 running 16784 2 20 Feb 23:45:34 proxy-1 proxy 172.19.254.254 running 16824 2 20 Feb 23:45:36 nsm1-eth0worker 172.19.254.254 running 16849 2 20 Feb 23:45:38 Clustered AF_PACKET support --- Key: BIT-1363 URL: https://bro-tracker.atlassian.net/browse/BIT-1363 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: git/master Reporter: Michal Purzynski Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support
[ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20237#comment-20237 ] Michal Purzynski commented on BIT-1363: --- http://man7.org/linux/man-pages/man7/packet.7.html PACKET_FANOUT_HASH, sends packets from the same flow to the same socket to maintain per-flow ordering. For each packet, it chooses a socket by taking the packet flow hash modulo the number of sockets in the group, where a flow hash is a hash over network-layer address and optional transport-layer port fields. So each process would need to create a socket and join the same group of sockets with setsockopt() and begin receiving packets. FANOUT_HASH has even an optional defragmenting support. Clustered AF_PACKET support --- Key: BIT-1363 URL: https://bro-tracker.atlassian.net/browse/BIT-1363 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: git/master Reporter: Michal Purzynski Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev