#478: Move BinPAC docs over to new server
----------------------------+--------------------
Reporter: robin | Owner: seth
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Website / Wiki | Version:
Keywords: |
----------------------------+--------------------
There's some BinPAC documentation in the old Wiki that we should move
over.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/478>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#579: Syslog logging writer
---------------------+------------------------
Reporter: seth | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version: git/master
Keywords: |
---------------------+------------------------
Martin has completely convinced me of the need for this. I don't know
about timeline we should put on it though. The one thought I have about
it is that it needs to use TCP due to extremely long lines that Bro logs
tend to have. I think it would be ok for it to have the same output
rendering that the LogAscii writer has.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/579>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#584: DNS TXT record lookup bif
-----------------------------+--------------------
Reporter: seth | Owner:
Type: Feature Request | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version:
Keywords: |
-----------------------------+--------------------
We need a lookup_txt bif like the lookup_name and lookup_host bifs. It
would make two things possible:
1. Improved integration with Team Cymru's malware hash registry.
2. Integration with Google's Certificate Catalog to find "bad" certs.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/584>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#634: CouchDB writer
-------------------------+-----------------------------
Reporter: jeff.baumes | Type: Feature Request
Status: new | Priority: Normal
Milestone: | Component: Bro
Version: | Keywords:
-------------------------+-----------------------------
Attached is a git patch for logging information to CouchDB. It has a new
dependence on libcurl which it searches for with a find_package CMake
command, and JsonCpp (MIT license), whose code is included directly in the
source tree.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/634>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#578: Add ICMPv6 support to Bro
---------------------+------------------------
Reporter: gregor | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version: git/master
Keywords: IPv6 |
---------------------+------------------------
Bro currently does not handle ICMPv6 at all (one reason being that Bro
ignore IP protocol 58 which is ipv6-icmp)
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/578>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#646: Cleanup interpreter error handling.
--------------------+--------------------
Reporter: robin | Owner:
Type: Task | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version:
Keywords: |
--------------------+--------------------
From 15ab2874369b5d7a3e6a14df24b141fa759999bb (which has been merged into
master):
{{{
Currently, a lot of interpreter runtime errors, such as an access to
an unset optional record field, cause Bro to abort with an internal
error. This is an experimental branch that turns such errors into
non-fatal runtime errors by internally raising exceptions. These are
caught upstream and processing continues afterwards.
For now, not many errors actually raise exceptions (the example above
does though). We'll need to go through them eventually and adapt the
current Internal() calls (and potentially others). More generally, at
some point we should cleanup the interpreter error handling (unifying
errors reported at parse- and runtime; and switching to exceptions for
all Expr/Stmt/Vals). But that's a larger change and left for later.
}}}
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/646>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#640: BiFs to enable or disable events.
-----------------------------+--------------------
Reporter: seth | Owner:
Type: Feature Request | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version:
Keywords: language |
-----------------------------+--------------------
We need BiFs to enable/disable event handlers. The existing
enable_event_group and disable_event_group functions push too much into
the core and are too rigid.
Even better would be if we had some way to place limited preconditions on
event handlers. I would really like to be able to do this::
{{{
redef Event::policy += {
["prevent-port-53-dns-requests"] = [$if="port 53", $ev=dns_request,
$action=Event::DISABLE],
["no-dns-responses"] = [$ev=dns_response, $action=Event::DISABLE],
["
};
}}}
I'm trying to follow the general API style that we've been following with
other frameworks but i'm using that a quasi-bpf filter in place of a
predicate since this would need to be extremely fast if it were to offer
any benefit but there is probably lots of room for further discussion
here. The other thing I don't like is that the way I defined it,
Event::policy would be a const and only definable at startup. It would be
very helpful to be able to write Bro scripts that can tune this at
runtime.
I think ultimately this is two tickets. One for creating the correct BiFs
after figuring out all of the requirements and then creating a framework
overtop of the BiFs to make it easier to use.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/640>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#603: Checking correctness of logs
------------------------+--------------------
Reporter: robin | Type: Task
Status: new | Priority: Normal
Milestone: Bro1.6 | Component: Bro
Version: git/master |
------------------------+--------------------
Before we release the final 2.0, we really need to do a rather
thorough check of the logs to make sure they are correct. The way I
picture doing that is that everybody picks connections at random and
manually checks that the logs report what he'd expect from examining
the raw payload with tcdpump/wireshark/strings/whatever. That's pretty
painful but I don't really see a better way. Thoughts welcome.
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/603>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#576: Conn.log does not use well known ports for service field anymore
-----------------------------+--------------------
Reporter: gregor | Owner:
Type: Feature Request | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version:
Keywords: BETA |
-----------------------------+--------------------
The new conn.log does not use well known ports for the service field
anymore. I actually found this feature quite convenient to have. Can we
get it back? Maybe by adding an additional column that specifies whether
the service field is derived from DPD or port based. Or we have a
"dpd_service" column and a "port_service" column.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/576>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker