zeek-dev July 2011

zeek-dev@lists.zeek.org

112 discussions

[Bro-Dev] #478: Move BinPAC docs over to new server

by Bro Tracker

#478: Move BinPAC docs over to new server ----------------------------+-------------------- Reporter: robin | Owner: seth Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Website / Wiki | Version: Keywords: | ----------------------------+-------------------- There's some BinPAC documentation in the old Wiki that we should move over. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/478> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

8 years, 1 month

[Bro-Dev] #474: &raw_output turns null values into \0

by Bro Tracker

#474: &raw_output turns null values into \0 ---------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: | ---------------------+-------------------- Files with the raw_output attribute shouldn't do any interpretation to the data. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/474> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

8 years, 2 months

[Bro-Dev] #519: policy/protocols/http/headers.bro only logs client headers

by Bro Tracker

#519: policy/protocols/http/headers.bro only logs client headers ---------------------+-------------------- Reporter: vern | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: | ---------------------+-------------------- In Bro 1.5, policy/http-header.bro logs both client and server headers. The new http/headers.bro only logs client headers, which breaks some forms of analysis. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/519> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

8 years, 7 months

[Bro-Dev] #465: Fix up the MIME analyzer

by Bro Tracker

#465: Fix up the MIME analyzer ---------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ The mime analyzer has a lot of inconsistency issues and is broken in a few places. * mime_all_headers loops and could potentially be a bad idea. More prone to DoS as well. Delete it? * mime_all_data is probably also a bad idea. Especially for large files. Delete it? * mime_entity_data seems very similar to mime_all_data and is not chunked as the similarity to the http_entity_data would imply. The current mime_entity_data should be removed and the current mime_all_data should be renamed to mime_entity_data. * mime_next_entity is never generated by the core or policy scripts and should either be fixed or deleted. * mime_one_header should probably be renamed to mime_header for consistency. * I have no clue what mime_event is for. Is it necessary? * mime_content_hash gives a non printable hash value and it could be removed since hash generation is done in the script now and eventually will be done in the file analyzer. * The wrong ifdef is used in the source: #ifdef DEBUG_BRO used instead of #ifdef DEBUG * mime_end_entity is generated generated multiple times in some cases when it shouldn't be. It's something to keep an eye out for, I never dug into it enough to find out what caused it. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/465> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

8 years, 7 months

[Bro-Dev] #524: Bro fuzz testing

by Bro Tracker

#524: Bro fuzz testing --------------------+------------------------ Reporter: gregor | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Keywords: | --------------------+------------------------ As part of Bro's regular testing we should probably also to some fuzzing. Good starting points might be: * http://wiki.wireshark.org/FuzzTesting * http://code.google.com/p/capouik/ (this one maybe not so much) The wireshark tools can probably be used with very little modification. However, one worthwhile addition might be to make the tools preserve the first n bytes of a packet and then start the fuzzing afterwards (e.g., to only fuzz after the IP header or such). (Not sure whether this should be milestone 1.6 or 1.7) -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/524> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

8 years, 10 months

[Bro-Dev] #496: bro -H undocumented

by Bro Tracker

#496: bro -H undocumented ---------------------+----------------- Reporter: vern | Owner: Type: Problem | Status: new Priority: Low | Milestone: Component: Bro | Version: Keywords: | ---------------------+----------------- I wanted to get help output so I ran `bro -H` (misremembering that it's instead `-h`). Bro just sat there waiting for input from stdin, even though `bro -h` indicates there's no such flag as `-H`. Turns out it's an alias for `--save-seeds`. Seems we should either remove the alias (my vote), or make sure it appears in the `-h` output. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/496> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

8 years, 11 months

[Bro-Dev] #523: event new_packet does not support IPv6

by Bro Tracker

#523: event new_packet does not support IPv6 ---------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: git/master Keywords: IPv6 | ---------------------+------------------------ The new_packet event is only raised for IPv4 packets. More generally every event that uses either the pkt_hdr or the ip_hdr records might have the same problem. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/523> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

8 years, 11 months

[Bro-Dev] #522: Event to report non TCP/UDP/ICMP packets

by Bro Tracker

#522: Event to report non TCP/UDP/ICMP packets ---------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: git/master Keywords: IPv6 | ---------------------+------------------------ Hi, it might be useful to have an event that fires if an IP packet does not contain TCP, UDP or ICMP, i.e., it either has a different IP protocol number or for IPv6 it might be some sort of extension header. Currently Bro silently ignores these packets. See NetSessions::DoNextPacket() -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/522> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

8 years, 11 months

[Bro-Dev] #464: Bug with complex data structures

by Bro Tracker

#464: Bug with complex data structures ---------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: High | Milestone: Bro1.6 Component: Bro | Version: Keywords: | ---------------------+-------------------- This script: {{{ type MetaData: record { a: count; tags: set[string]; }; global ip_data: table[addr] of set[MetaData] = table(); local m: MetaData = [$a=4, $tags=set("blah")]; if ( 1.2.3.4 !in ip_data ) ip_data[1.2.3.4] = set(m); else add ip_data[1.2.3.4][m]; }}} Results in this error: {{{ 1306867820.149493 <no location> and ./test29.bro, line 10 ([a=4, tags={blah}] and list of record { a:count; tags:set[string]; }): error, index type doesn't match table }}} -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/464> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 1 month

[Bro-Dev] #477: Signing releases

by Bro Tracker

#477: Signing releases --------------------+-------------------- Reporter: robin | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: | --------------------+-------------------- We should start GPG-signing Bro releases. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/477> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 2 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

zeek-dev July 2011