Re: [Bro-Dev] attributes & named types

On Mon, Nov 5, 2018 at 4:40 PM Robin Sommer wrote: > > > On Sat, Nov 03, 2018 at 21:58 +0000, Vlad Grigorescu wrote: > > > In my mind, if the keyword is applied to a record, I would expect any new > > fields added to that record to also be logged. > > I be

Re: [Bro-Dev] attributes & named types

On Sat, Nov 3, 2018 at 9:14 PM Vern Paxson wrote: > Thanks for the pointers & thoughts! A quick question, more in a bit: > > > To better understand the existing behavior, here's the commit that > > introduced this (specifically with regards to conn_id): > > >

Re: [Bro-Dev] attributes & named types

To better understand the existing behavior, here's the commit that introduced this (specifically with regards to conn_id): https://github.com/bro/bro/commit/38a1aa5a346d10de32f9b40e0869cdb48a98974b > The keyword now operates as discussed: > > - When associated with individual record fields,

Re: [Bro-Dev] Any 2.6 release blockers?

Ok, just submitted: https://github.com/bro/bro/pull/198 On Mon, Oct 29, 2018 at 7:24 PM Vlad Grigorescu wrote: > I'd really like to fix this: https://github.com/bro/bro/issues/195 > > I've gotten reports from a few people that that fills up the disk in > environments that encrypt

Re: [Bro-Dev] Any 2.6 release blockers?

I'd really like to fix this: https://github.com/bro/bro/issues/195 I've gotten reports from a few people that that fills up the disk in environments that encrypt MySQL. I'll take one more crack at it now. --Vlad On Mon, Oct 29, 2018 at 7:22 PM Jon Siwek wrote: > Anyone have any last minute

[Bro-Dev] bro-pkg Bro version requirements

It strikes me that as Bro development marches on, package maintainers don't have great choices in terms of maintaining compatibility with multiple Bro versions. For JA3, to maintain compatibility, you have to do something like this, due to the SSL event change: @if ( Version::at_least("2.6") ) >

Re: [Bro-Dev] SSH Capabilities Bug: Fix for 2.6?

Just for anyone who wanted some closure on this, I've submitted the PR: https://github.com/bro/bro/pull/191 On Mon, Oct 15, 2018 at 10:21 PM Vlad Grigorescu wrote: > Sure, I'll do that. > On Mon, Oct 15, 2018 at 16:19 Jon Siwek wrote: > >> On Mon, Oct 15, 2018 at 3:33 PM Vlad Gr

Re: [Bro-Dev] SSH Capabilities Bug: Fix for 2.6?

Sure, I'll do that. On Mon, Oct 15, 2018 at 16:19 Jon Siwek wrote: > On Mon, Oct 15, 2018 at 3:33 PM Vlad Grigorescu wrote: > > > The SSH Capabilities record has the following field, which is being set > incorrectly: > > > >> ## Are these

[Bro-Dev] SSH Capabilities Bug: Fix for 2.6?

During BroCon, someone brought a bug in the SSH analyzer to my attention. The SSH Capabilities record has the following field, which is being set incorrectly: ## Are these the capabilities of the server? > is_server: bool; > > result->Assign(6, new

Re: [Bro-Dev] S7Comm/S7CommPlus Analyzer

Hi Dane, Thanks for sending this along. I'll have to check it out. One thing I noticed -- do you mind filling out the license in COPYING.edit-me? Without a valid copyright, it's hard to figure out what all we can do this. Thanks, --Vlad On Sun, Sep 23, 2018 at 3:04 PM DW wrote: > Hi there,

Re: [Bro-Dev] JIRA to GitHub ticket migration plan

On Sat, Sep 15, 2018 at 1:28 AM Robin Sommer wrote: > Are Jenkins and Coverity already pulling from GitHub? > No, I thought Jenkins was pushing to Coverity. Is the plan to have GitHub issues within each repo? That is, bro, binpac, etc. I think we'd lose the easy way to see all issues, but if I

Re: [Bro-Dev] DHCP event removal

On Fri, Jun 15, 2018 at 9:38 PM, Vlad Grigorescu wrote: > Even if it's not widely used, I think it'd be a nicer user experience if > we were to ship a script that handled dhcp_message, and raised the old > events. We could mark the old events as deprecated, and remove them in the >

Re: [Bro-Dev] DHCP event removal

Yep, already working on it. :-) On Sat, Jun 16, 2018 at 6:26 AM, Seth Hall wrote: > > On 15 Jun 2018, at 17:22, Azoff, Justin S wrote: > > > The fix is a little trickier, you can't handle both events because the > > DHCP::Msg type no longer exists and you need to wrap the old event > > with > >

Re: [Bro-Dev] $history extensions - zero windows, logarithmic counts

On Fri, Jun 15, 2018 at 9:54 PM, Vern Paxson wrote: > > it unclear on the logarithmic > > counts. Take, for instance SaDtTtT. If I'm reading this correctly, I > think > > that means 10-99 retransmissions from orig, followed by 10-99 from resp, > > then more retransmissions from orig (enough to

Re: [Bro-Dev] DHCP event removal

Yeah, I've mainly seen it used for shellshock. On top of that, I saw some scripts in GitHub that used it from: - Michal: https://github.com/michalpurzynski/bro-gramming/blob/master/dhcpr.bro - Matthias: https://github.com/bro/bro-scripts/blob/master/roam.bro - Grant Stavely:

Re: [Bro-Dev] $history extensions - zero windows, logarithmic counts

I think this is a useful feature. I'm a bit unclear on the logarithmic counts. Take, for instance SaDtTtT. If I'm reading this correctly, I think that means 10-99 retransmissions from orig, followed by 10-99 from resp, then more retransmissions from orig (enough to reach a total of 100-999), and

[Bro-Dev] bro-devel package?

There are a couple of cases where I think it'd be useful to have a bro-devel package -- a package that I can install on a system, and then be able to build plugins against Bro. (This is the same model as other *-devel packages, such as openssl, libpcap, etc.) Right now, if I compile Bro from

Re: [Bro-Dev] How to deal with stale branches?

Yeah, that's certainly one option, but I think it'd be hard for people to find. On Thu, Apr 26, 2018 at 8:15 PM, Jon Siwek <jsi...@corelight.com> wrote: > > > On 4/26/18 11:06 AM, Vlad Grigorescu wrote: > > I'm torn between deleting the branches, in an effort to not clog up

[Bro-Dev] How to deal with stale branches?

I have a couple of branches that, for whatever reason, aren't headed for a merge request into master. The branches were left around for reference, in case someone wanted to pick up and continue the work. However, this too now looks very unlikely, as some of these are several years old, and of

Re: [Bro-Dev] Weirdness with event ssh_capabilities

Hi John, First, here's code that works: http://try.bro.org/#/trybro/saved/228261 (This is longer, because technically, clients and servers can specify different algs for each direction). Here's the relevant bit of Bro code:

Re: [Bro-Dev] UDP connection_established event?

odel a bit better. On Mon, Mar 5, 2018 at 4:55 AM, Jan Grashöfer <jan.grashoe...@gmail.com> wrote: > On 02/03/18 03:52, Vlad Grigorescu wrote: > > I would like to propose a new event in Bro, one that would fire when a > UDP > > connection is established (i.e. a response is o

[Bro-Dev] UDP connection_established event?

I would like to propose a new event in Bro, one that would fire when a UDP connection is established (i.e. a response is observed within some time frame after a request is seen). Basically, the UDP equivalent of connection_established. Currently, I think the only way to do this would be either

Re: [Bro-Dev] Configuration framework syntax proposal

First of all, thanks to Johanna for getting this discussion going, and thanks to everyone who's weighed in so far. I'm really excited to see this feature in Bro, and I'm also happy to see how much interest this has already garnered. To extend what Seth said about our two user groups -- I think

[Bro-Dev] Source Package for caf?

About a year ago, I was trying to get the Bro test suite running in Travis CI. To make this easier, I was trying to get caf added as a whitelisted package to Travis CI. Unfortunately, this failed because there was no source package available for caf:

Re: [Bro-Dev] 2.5.1 release?

Correct, I agree. I just did another review of CHANGES, and didn't spot anything concerning. We'll look at upgrading our test cluster (and UIUC's test cluster) to master. On Fri, May 12, 2017 at 8:48 PM, Slagell, Adam J wrote: > > > > On May 12, 2017, at 4:09 PM, Seth Hall

[Bro-Dev] Splitting up init-bare?

What do people think about splitting up portions of init-bare into separate files, and having init-bare simply @load those files? Right now, it's a 4500+ line script that keeps growing, and it commonly results in conflicts. For the protocols, I could see having a file such as

Re: [Bro-Dev] CBAN naming

Having reread through the discussion, I want to try to take a step back and review some of it. I believe there are two goals in play: 1) From a user's perspective, the principle of least astonishment. Names matter, and choosing something intuitive or familiar means we're not raising the barrier

Re: [Bro-Dev] which of these Lintian error messages need tickets?

I'll take a shot: > *1. binary file built without LFS support* > binpac: > binary-file-built-without-LFS-support > > usr/bin/binpac > > bro (2.4.1+dfsg-2+b3; main): > binary-file-built-without-LFS-support >

[Bro-Dev] [JIRA] (BIT-1578) dns_unmatched_msg weird has no connection associated with it

Vlad Grigorescu created BIT-1578: Summary: dns_unmatched_msg weird has no connection associated with it Key: BIT-1578 URL: https://bro-tracker.atlassian.net/browse/BIT-1578 Project: Bro Issue Tracker

Re: [Bro-Dev] Deleting old branches

Hooray, thanks for taking this on! I just did a quick check for branches named ticket* or bit* and all those tickets have been closed (I wanted to check if they had been left open with the idea that someone would circle back to that branch and add feature X). >From my end, all the topic/vladg

Re: [Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity

I'm not sure I agree without additional context. ICMP exfil is a known technique. Wouldn't you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic? What I would recommend instead is simply adding the

[Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal

[ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=25803#comment-25803 ] Vlad Grigorescu commented on BIT-1506: -- [~johanna] - Sure, that's a good idea. Is it reasonable to add

Re: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal

--- > > > > Key: BIT-1506 > > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > > Project: Bro Issue Tracker > > Issue Type: Problem > > Components: Bro > >

[Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal

[ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=25601#comment-25601 ] Vlad Grigorescu commented on BIT-1506: -- Seth said that he uses MacPorts, so it's possible that we

[Bro-Dev] [JIRA] (BIT-1528) SNMP and SIP scans show up in known services.

[ https://bro-tracker.atlassian.net/browse/BIT-1528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1528: - Status: Merge Request (was: Open) Assignee: (was: Vlad Grigorescu) > SNMP and

[Bro-Dev] [JIRA] (BIT-1528) SNMP and SIP scans show up in known services.

[ https://bro-tracker.atlassian.net/browse/BIT-1528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=25201#comment-25201 ] Vlad Grigorescu commented on BIT-1528: -- Completed in topic/vladg/bit-1528. > SNMP and SIP scans show

[Bro-Dev] [JIRA] (BIT-1533) mysql analyzer does not set service to mysql

[ https://bro-tracker.atlassian.net/browse/BIT-1533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=25005#comment-25005 ] Vlad Grigorescu commented on BIT-1533: -- Fixed in topic/vladg/bit-1533 > mysql analyzer does not

[Bro-Dev] [JIRA] (BIT-1551) Broctl plugins in Bro plugins

[ https://bro-tracker.atlassian.net/browse/BIT-1551?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=24807#comment-24807 ] Vlad Grigorescu commented on BIT-1551: -- Assigning to Daniel for the broctl piece. > Broctl plugins in

[Bro-Dev] [JIRA] (BIT-1551) Broctl plugins in Bro plugins

Vlad Grigorescu created BIT-1551: Summary: Broctl plugins in Bro plugins Key: BIT-1551 URL: https://bro-tracker.atlassian.net/browse/BIT-1551 Project: Bro Issue Tracker Issue Type: New

[Bro-Dev] [JIRA] (BIT-1551) Broctl plugins in Bro plugins

[ https://bro-tracker.atlassian.net/browse/BIT-1551?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu reassigned BIT-1551: Assignee: Daniel Thayer > Broctl plugins in Bro plug

Re: [Bro-Dev] SMB2 - NTLM GSSAPI messages

My intention for this was to do the parsing at the PAC level, but it wasn't possible at the time. In the meantime, BinPAC now supports including files from other directories, so just how ASN1 is now a BinPAC library shared by SNMP and Kerberos, I would envision GSSAPI to become a library. This

[Bro-Dev] Bro failing to build on OS X with XCode 7

I can't get Bro master to build with XCode 7 on OS X. For anyone trying to build Bro on a new OS X system, this is a problem, since I don't think old versions of XCode are still available. > $ cc -v > Apple LLVM version 7.0.2 (clang-700.1.81) > Target: x86_64-apple-darwin15.2.0 > Thread model:

[Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub

[ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=23807#comment-23807 ] Vlad Grigorescu commented on BIT-1413: -- Here's what I was doing: {code} git clone ssh://git.bro.org

[Bro-Dev] [JIRA] (BIT-1518) SSH analyzer doesn't handle non-conformant client version strings

Vlad Grigorescu created BIT-1518: Summary: SSH analyzer doesn't handle non-conformant client version strings Key: BIT-1518 URL: https://bro-tracker.atlassian.net/browse/BIT-1518 Project: Bro Issue

Re: [Bro-Dev] Better Handling of User Agents in Software Framework

at 3:24 PM, Seth Hall <s...@icir.org> wrote: > > > On Dec 14, 2015, at 10:51 AM, Vlad Grigorescu <v...@grigorescu.org> > wrote: > > > > I'm not thrilled with those user agents are being handled right now, and > I'm curious to get some thoughts. Take, for

[Bro-Dev] Better Handling of User Agents in Software Framework

I'm not thrilled with those user agents are being handled right now, and I'm curious to get some thoughts. Take, for example the Safari user-agent string of: > Safari/11601.3.9 CFNetwork/760.2.6 Darwin/15.2.0 (x86_64) Right now, this gets parsed as: > name=Safari, > version=[ >

Re: [Bro-Dev] Parse LDAP messages from a pcap

Zakaria, There's no LDAP analyzer in Bro. LDAP is not a simple protocol, but if you'd like to try writing an analyzer, you might want to check out the following resources: https://www.bro.org/development/howtos/binpac-sample-analyzer.html https://www.youtube.com/watch?v=1eDIl9y6ZnM Best,

[Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1

[ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=23002#comment-23002 ] Vlad Grigorescu commented on BIT-1500: -- I'd like to revisit this and see if we can get the issue fixed, so

[Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1

[ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=23004#comment-23004 ] Vlad Grigorescu commented on BIT-1500: -- We can leave it closed. I'll keep it on my backburner. > Bin

[Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal

[ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22817#comment-22817 ] Vlad Grigorescu commented on BIT-1506: -- Realistically, no one really runs Bro on OS X

[Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal

Vlad Grigorescu created BIT-1506: Summary: Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Key: BIT-1506 URL: https://bro-tracker.atlassian.net/browse/BIT-1506 Project

[Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1

[ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22800#comment-22800 ] Vlad Grigorescu commented on BIT-1500: -- I've run into some similar weirdness, which is usually solved

Re: [Bro-Dev] [EXTERNAL] Re: [Bro] Logging VLAN IDs

Oooh, yes, thank you. I'm not sure how I missed that, but that looks nice. On Mon, Sep 21, 2015 at 5:50 PM, Robin Sommer wrote: > On Mon, Sep 21, 2015 at 11:20 -0500, you wrote: > > > I'm wondering if anyone has given any further thought to or done any work > > on this. > > Yep,

[Bro-Dev] Advice on the PE Analyzer

For Bro 2.5, I'd like to add some more functionality to the Windows Portable Executable analyzer. I think there's a lot of valuable data that could be extracted, but the format is rather challenging to work with. Some protocol pseudocode would be: > : import_address_table is at 0010 > 0010:

Re: [Bro-Dev] [EXTERNAL] Re: [Bro] Logging VLAN IDs

Apologies for resurrecting an old thread. I'm wondering if anyone has given any further thought to or done any work on this. While looking at BIT-1480 (adding ERSPAN decapsulation support), I was reminded of what a mess Sessions.cc currently is. I think moving towards passing a Packet structure

[Bro-Dev] [JIRA] (BIT-1480) ERSPAN Supprt

[ https://bro-tracker.atlassian.net/browse/BIT-1480?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu reassigned BIT-1480: Assignee: Vlad Grigorescu > ERSPAN Supprt > - > >

[Bro-Dev] [JIRA] (BIT-1460) DPD query too large on multicast DNS

[ https://bro-tracker.atlassian.net/browse/BIT-1460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu reassigned BIT-1460: Assignee: Vlad Grigorescu (was: Johanna Amann) > DPD query too large on multicast

[Bro-Dev] [JIRA] (BIT-1460) DPD query too large on multicast DNS

[ https://bro-tracker.atlassian.net/browse/BIT-1460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22018#comment-22018 ] Vlad Grigorescu commented on BIT-1460: -- Will do. Sorry for not checking that earlier. > DPD query

[Bro-Dev] [JIRA] (BIT-1460) DPD query too large on multicast DNS

[ https://bro-tracker.atlassian.net/browse/BIT-1460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1460: - Status: Open (was: Merge Request) > DPD query too large on multicast

[Bro-Dev] [JIRA] (BIT-1460) DPD query too large on multicast DNS

[ https://bro-tracker.atlassian.net/browse/BIT-1460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22019#comment-22019 ] Vlad Grigorescu commented on BIT-1460: -- Yes, these all seem reasonable. Several symptoms

[Bro-Dev] [JIRA] (BIT-1460) DPD query too large on multicast DNS

[ https://bro-tracker.atlassian.net/browse/BIT-1460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=22019#comment-22019 ] Vlad Grigorescu edited comment on BIT-1460 at 9/10/15 3:01 PM: --- Yes, these all

[Bro-Dev] [JIRA] (BIT-1460) DPD query too large on multicast DNS

[ https://bro-tracker.atlassian.net/browse/BIT-1460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1460: - Status: Merge Request (was: Open) Assignee: (was: Vlad Grigorescu) > DPD query

[Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub

[ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=21944#comment-21944 ] Vlad Grigorescu commented on BIT-1413: -- Sure. I'll go with the symlink idea. > README files misidentif

[Bro-Dev] [JIRA] (BIT-1414) Make PIE option availalbe during compiling

[ https://bro-tracker.atlassian.net/browse/BIT-1414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1414: - Resolution: Cannot Reproduce Status: Closed (was: Open) > Make PIE option availa

[Bro-Dev] [JIRA] (BIT-1460) DPD query too large on multicast DNS

[ https://bro-tracker.atlassian.net/browse/BIT-1460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=21941#comment-21941 ] Vlad Grigorescu commented on BIT-1460: -- The issue here is src/analyzer/protocol/dns/DNS.cc lines 58-68

[Bro-Dev] [JIRA] (BIT-1460) DPD query too large on multicast DNS

[ https://bro-tracker.atlassian.net/browse/BIT-1460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1460: - Status: Merge Request (was: Open) > DPD query too large on multicast

[Bro-Dev] [JIRA] (BIT-874) Handling Modbus exception FC

[ https://bro-tracker.atlassian.net/browse/BIT-874?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-874: Labels: Modbus analyzer exception fc (was: , Modbus analyser, exception fc) > Handling Mod

[Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC

[ https://bro-tracker.atlassian.net/browse/BIT-1336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=21956#comment-21956 ] Vlad Grigorescu commented on BIT-1336: -- The fix for this is in topic/vladg/es-fixes in the bro-plugins

[Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC

[ https://bro-tracker.atlassian.net/browse/BIT-1336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1336: - Status: Merge Request (was: Open) Assignee: (was: Seth Hall) > ElasticSearch indi

[Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP

[ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=21926#comment-21926 ] Vlad Grigorescu commented on BIT-1458: -- topic/vladg/bit-1458 reworks the analyzer a bit, and fixes any

[Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP

[ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1458: - Status: Merge Request (was: Open) Assignee: (was: Vlad Grigorescu) > Lots of bin

[Bro-Dev] [JIRA] (BIT-1469) dpd.log contains lots of binpac exceptions for RDP

[ https://bro-tracker.atlassian.net/browse/BIT-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=21927#comment-21927 ] Vlad Grigorescu commented on BIT-1469: -- I looked into this, and I don't think that it's trivial to solve

[Bro-Dev] [JIRA] (BIT-1469) dpd.log contains lots of binpac exceptions for RDP

[ https://bro-tracker.atlassian.net/browse/BIT-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1469: - Fix Version/s: 2.5 > dpd.log contains lots of binpac exceptions for

[Bro-Dev] [JIRA] (BIT-1458) Lots of binpac exceptions in SIP

[ https://bro-tracker.atlassian.net/browse/BIT-1458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=21929#comment-21929 ] Vlad Grigorescu commented on BIT-1458: -- Yeah, I agree. The existing btest's Baseline did need

[Bro-Dev] [JIRA] (BIT-1466) Need to document Q and I for conn.log

[ https://bro-tracker.atlassian.net/browse/BIT-1466?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu reassigned BIT-1466: Assignee: Vlad Grigorescu Need to document Q and I for conn.log

[Bro-Dev] [JIRA] (BIT-1466) Need to document Q and I for conn.log

[ https://bro-tracker.atlassian.net/browse/BIT-1466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=21801#comment-21801 ] Vlad Grigorescu commented on BIT-1466: -- Fixed in topic/vladg/bit-1466 Need to document Q

[Bro-Dev] [JIRA] (BIT-1461) Bro Mgr Scripts Fail After Threat Intel Feed Add

[ https://bro-tracker.atlassian.net/browse/BIT-1461?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=21708#comment-21708 ] Vlad Grigorescu commented on BIT-1461: -- {quote}Value not found in enum mappimg{quote

Re: [Bro-Dev] Trouble with getting Bro 2.2 private analyzer to write logs on current master

On Wed, Jun 17, 2015 at 10:30 AM, James Swaro james.sw...@gmail.com wrote: If I understand the patch correctly, it would only cause problems for connections with over 2GB of data payload, but I think it should work fine for a small trace of say 200KB. I'm not seeing any events at all, nor am I

Re: [Bro-Dev] Trouble with getting Bro 2.2 private analyzer to write logs on current master

Just a guess, but it could be related to this: https://github.com/bro/bro/blob/master/CHANGES#L1578 ints changed to uint64s. As an example, you can see how the HTTP analyzer was modified here:

[Bro-Dev] [JIRA] (BIT-1414) Make PIE option availalbe during compiling

[ https://bro-tracker.atlassian.net/browse/BIT-1414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=21001#comment-21001 ] Vlad Grigorescu commented on BIT-1414: -- There are two compiler/linker flags you can use

[Bro-Dev] [JIRA] (BIT-1414) Make PIE option availalbe during compiling

[ https://bro-tracker.atlassian.net/browse/BIT-1414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=21001#comment-21001 ] Vlad Grigorescu edited comment on BIT-1414 at 6/15/15 5:08 PM

[Bro-Dev] [JIRA] (BIT-1414) Make PIE option availalbe during compiling

[ https://bro-tracker.atlassian.net/browse/BIT-1414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20912#comment-20912 ] Vlad Grigorescu commented on BIT-1414: -- It worked just fine for me. What issues were you

[Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub

Vlad Grigorescu created BIT-1413: Summary: README files misidentified by GitHub Key: BIT-1413 URL: https://bro-tracker.atlassian.net/browse/BIT-1413 Project: Bro Issue Tracker Issue Type

[Bro-Dev] [JIRA] (BIT-1412) Documentation/control of Jira markup shortcuts?

[ https://bro-tracker.atlassian.net/browse/BIT-1412?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20908#comment-20908 ] Vlad Grigorescu commented on BIT-1412: -- I don't think they're modifiable, but you can

[Bro-Dev] [JIRA] (BIT-1412) Documentation/control of Jira markup shortcuts?

[ https://bro-tracker.atlassian.net/browse/BIT-1412?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20910#comment-20910 ] Vlad Grigorescu commented on BIT-1412: -- Ah, my mistake. I believe the editor shortcuts

[Bro-Dev] [JIRA] (BIT-1410) tx_hosts and rx_hosts switched in files.log

[ https://bro-tracker.atlassian.net/browse/BIT-1410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20911#comment-20911 ] Vlad Grigorescu commented on BIT-1410: -- Fix is in branch topic/vladg/bit-1410 in bro, bro

[Bro-Dev] [JIRA] (BIT-1394) Github commit seems to have possible configure issues?

[ https://bro-tracker.atlassian.net/browse/BIT-1394?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20602#comment-20602 ] Vlad Grigorescu commented on BIT-1394: -- When working with Bro behind an HTTP proxy, I use

[Bro-Dev] [JIRA] (BIT-1384) Optimize option leads to internal error

Vlad Grigorescu created BIT-1384: Summary: Optimize option leads to internal error Key: BIT-1384 URL: https://bro-tracker.atlassian.net/browse/BIT-1384 Project: Bro Issue Tracker Issue Type

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20413#comment-20413 ] Vlad Grigorescu commented on BIT-1369: -- I tweaked the kinit btest to print output for one

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20401#comment-20401 ] Vlad Grigorescu commented on BIT-1365: -- Any reason why local-local couldn't be set

[Bro-Dev] [JIRA] (BIT-1380) Files::add_analyzer documentation has too many fields

Vlad Grigorescu created BIT-1380: Summary: Files::add_analyzer documentation has too many fields Key: BIT-1380 URL: https://bro-tracker.atlassian.net/browse/BIT-1380 Project: Bro Issue Tracker

[Bro-Dev] [JIRA] (BIT-1379) PE File Analyzer

Vlad Grigorescu created BIT-1379: Summary: PE File Analyzer Key: BIT-1379 URL: https://bro-tracker.atlassian.net/browse/BIT-1379 Project: Bro Issue Tracker Issue Type: New Feature

[Bro-Dev] [JIRA] (BIT-1379) PE File Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1379: - Status: Merge Request (was: Open) PE File Analyzer Key

[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20323#comment-20323 ] Vlad Grigorescu commented on BIT-1370: -- I merged master, updated the tests (no changes

[Bro-Dev] [JIRA] (BIT-1370) SIP Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1370?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1370: - Status: Merge Request (was: Open) SIP Analyzer Key: BIT-1370

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20320#comment-20320 ] Vlad Grigorescu commented on BIT-1369: -- I merged master, updated the tests (no changes

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1369: - Status: Merge Request (was: Open) Kerberos Analyzer - Key

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20319#comment-20319 ] Vlad Grigorescu commented on BIT-1365: -- This is fixed in topic/vladg/ssh. When fixing

[Bro-Dev] [JIRA] (BIT-1365) direction field of SSH::Info no longer populated

[ https://bro-tracker.atlassian.net/browse/BIT-1365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1365: - Status: Merge Request (was: Open) direction field of SSH::Info no longer populated

[Bro-Dev] [JIRA] (BIT-1369) Kerberos Analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1369: - Fix Version/s: 2.4 Kerberos Analyzer - Key: BIT-1369

  1   2   >