[Bro-Dev] [JIRA] (BIT-1372) Clean up ---help
[ https://bro-tracker.atlassian.net/browse/BIT-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1372: -- Resolution: Fixed Status: Closed (was: In Progress) Clean up ---help Key: BIT-1372 URL: https://bro-tracker.atlassian.net/browse/BIT-1372 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Robin Sommer Fix For: 2.4 Remove netflow and DFA cache (plus dead code). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1356) Bro process sticks around after broctl stop
[ https://bro-tracker.atlassian.net/browse/BIT-1356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20258#comment-20258 ] Robin Sommer commented on BIT-1356: --- Can somebody see if 0620bc97 helps? Bro process sticks around after broctl stop --- Key: BIT-1356 URL: https://bro-tracker.atlassian.net/browse/BIT-1356 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Assignee: Daniel Thayer Fix For: 2.4 It seems that after running a broctl stop not all bro processes are killed immediately. On our cluster, one of the processes keeps running; I seems like it eventually terminates after all log-compression is done. Is that on purpose or is that a bug? Ps output (on the node running the manager, bro process in first line, including the running compression jobs for completeness): {code} $ ps -ax | grep bro 23353 - IN 20:06.96 /xa/bro/master/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto 24979 - I 0:00.01 bash /xa/bro/master/share/broctl/scripts/archive-log http.2015-03-25-14-40-30.log http 15-03-25_14.40.30 15-03-25_16.29.29 1 ascii 25047 - I 0:00.01 bash /xa/bro/master/share/broctl/scripts/archive-log conn.2015-03-25-14-40-30.log conn 15-03-25_14.40.30 15-03-25_16.29.29 1 ascii 25841 - S 0:00.59 bash /xa/bro/master/share/broctl/scripts/post-terminate /xa/bro/master/spool/manager 29204 0 D+0:00.00 grep bro {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] Bro nightly packages for .dev and .rpm based distributions
Hello, the bro package on the Opensuse Build Service just moved to its final location in network:bro. So - the obs interface for is now available at https://build.opensuse.org/project/show/network:bro and builds for bro-nightly will be available at http://software.opensuse.org/download.html?project=network%3Abropackage=bro-nightly (currently it still is a 404; should hopefully be available within the next few hours). The binaries at the old location will no longer be updated. Johanna On Thu, Feb 12, 2015 at 12:53:51PM -0800, Johanna Amann wrote: Hello, we are considering to provide packages for a number of different .deb and .rpm based distributions starting with Bro 2.4, using the OpenSuse build service. As a first step, I have created a repository that contains nightly Bro builds for CentOs, Debian, Fedora, Suse Linux, Scientific Linux, Univention as well as Ubuntu. At the moment, Bro is installed into /opt/bro and broctl needs root permissions to run. Users in the Bro group (which is automatically created on installation) should be able to modify configuration files like local.bro, or the broctl configuration, and read the log files that Bro writes. The package is called bro-nightly which is a metapackage which pulls in the sub-packages bro-core-nightly, containing only bro without broctl or libbroccoli broctl-nightly, containing broctl libbroccoli-nightly, containing libbroccoli and libbroccoli-devel-nightly, containing the header files for libbroccoli The obs interface showing the status and sources is available at https://build.opensuse.org/package/show/home:0xxon:bro/bro-nightly and downloads are available at http://software.opensuse.org/download.html?project=home%3A0xxon%3Abropackage=bro-nightly (locations will change in the future). If you add the repositories to your distribution, new nightly builds should automatically be installed each time bro is updated. Additionally, Bro 2.3.2 packages are available at https://build.opensuse.org/package/show/home:0xxon:bro/bro. At the moment, this is in an early stage and I would be happy to receive any kind of feedback or problems that you encounter when using these packages. Please note that the packages have not gone through a lot of testing and that you should not use them in a production environment :) Johanna ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1368) File type identification fixes
[ https://bro-tracker.atlassian.net/browse/BIT-1368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1368: -- Assignee: Seth Hall (was: Jon Siwek) File type identification fixes -- Key: BIT-1368 URL: https://bro-tracker.atlassian.net/browse/BIT-1368 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Seth Hall Assignee: Seth Hall Fix For: 2.4 I have some changes nearly queued up for 2.4 release in the repository (topic/seth/more-file-type-ident-fixes) in the but a bit more work needs to be done. There may be one more breaking change to the files api coming in this branch too. Jon and I discussed some options and I think that creating a new event named file_sniff in place of the file_mime_type event makes sense. We can put the mime type and more sniff originated data in a record on that event so that we can extend it cleanly (and without breaking APIs) in the future. I think it will look something like this: ``` type fa_sniff: record { ## Depth sniffed. depth: count default=0; ## Sniffed mime type if one was discovered. mime_type: string optional; }; event file_sniff(f: fa_file, sniff: fa_sniff) { if ( sniff?$mime_type ) { print sniff$mime_type; } } ``` One other thing this branch will address is a performance degradation from certain file signatures interacting with each other poorly. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1368) File type identification fixes
[ https://bro-tracker.atlassian.net/browse/BIT-1368?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20256#comment-20256 ] Jon Siwek commented on BIT-1368: Seth, topic/jsiwek/bit-1368 has the changes to the mime type detection script API that you can merge in to your branch for finalization when you're ready. For the naming, I went with: {code} ## Metadata that's been inferred about a particular file. type inferred_file_metadata: record { ## The strongest matching mime type if one was discovered. mime_type: string optional; ## All matching mime types if any were discovered. mime_types: mime_matches optional; }; event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata); {code} File type identification fixes -- Key: BIT-1368 URL: https://bro-tracker.atlassian.net/browse/BIT-1368 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Seth Hall Assignee: Seth Hall Fix For: 2.4 I have some changes nearly queued up for 2.4 release in the repository (topic/seth/more-file-type-ident-fixes) in the but a bit more work needs to be done. There may be one more breaking change to the files api coming in this branch too. Jon and I discussed some options and I think that creating a new event named file_sniff in place of the file_mime_type event makes sense. We can put the mime type and more sniff originated data in a record on that event so that we can extend it cleanly (and without breaking APIs) in the future. I think it will look something like this: ``` type fa_sniff: record { ## Depth sniffed. depth: count default=0; ## Sniffed mime type if one was discovered. mime_type: string optional; }; event file_sniff(f: fa_file, sniff: fa_sniff) { if ( sniff?$mime_type ) { print sniff$mime_type; } } ``` One other thing this branch will address is a performance degradation from certain file signatures interacting with each other poorly. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers
[ https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20257#comment-20257 ] klehigh commented on BIT-1306: -- Tested the patch on FreeBSD-10.1-p9 with bro 2.3-680 and Myricom SNF v3 drivers and it resolves this issue. bro process would get stuck/freeze with myricom drivers --- Key: BIT-1306 URL: https://bro-tracker.atlassian.net/browse/BIT-1306 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Environment: OS: FreeBSD 9.3-RELEASE-p5 OS bro version 2.3-328 git log -1 --format=%H 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f Reporter: Aashish Sharma Assignee: Robin Sommer Labels: bro-git, myricom Fix For: 2.4 When I stop bro (in cluster mode), one of the bro worker process (random) would get stuck and wouldn't shutdown, stop or even be killed using kill -s 9. System has to be ultimately rebooted to remove stuck bro process. On running myri_start_stop I see: # /usr/local/opt/snf/sbin/myri_start_stop stop Removing myri_snf.ko kldunload: can't unload file: Device busy It appears that the myri_snf.ko driver cannot be unloaded because of the stuck bro process. That process still has an open descriptor on the Sniffer device/driver and bro process freezes More details: The bro process is stuck in RNE state R Marks a runnable process. N The process has reduced CPU scheduling priority (see setpriority(2)). E The process is trying to exit. Here is an example: ### stuck process: [bro@01 ~]$ ps auxwww | fgrep 1616 bro1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro broctl/auto when checking for process in proc: [bro@c ~]$ ls -l /proc/1616 ls: /proc/1616: No such file or directory -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1372) Clean up ---help
[ https://bro-tracker.atlassian.net/browse/BIT-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1372: -- Status: Reopened (was: Closed) Resolution: (was: Fixed) Clean up ---help Key: BIT-1372 URL: https://bro-tracker.atlassian.net/browse/BIT-1372 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Robin Sommer Fix For: 2.4 Remove netflow and DFA cache (plus dead code). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1372) Clean up ---help
[ https://bro-tracker.atlassian.net/browse/BIT-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1372: -- Status: In Progress (was: Reopened) Clean up ---help Key: BIT-1372 URL: https://bro-tracker.atlassian.net/browse/BIT-1372 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robin Sommer Assignee: Robin Sommer Fix For: 2.4 Remove netflow and DFA cache (plus dead code). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev