#478: Move BinPAC docs over to new server
----------------------------+--------------------
Reporter: robin | Owner: seth
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Website / Wiki | Version:
Keywords: |
----------------------------+--------------------
There's some BinPAC documentation in the old Wiki that we should move
over.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/478>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#519: policy/protocols/http/headers.bro only logs client headers
---------------------+--------------------
Reporter: vern | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version:
Keywords: |
---------------------+--------------------
In Bro 1.5, policy/http-header.bro logs both client and server headers.
The new http/headers.bro only logs client headers, which breaks some forms
of analysis.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/519>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#465: Fix up the MIME analyzer
---------------------+------------------------
Reporter: seth | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version: git/master
Keywords: |
---------------------+------------------------
The mime analyzer has a lot of inconsistency issues and is broken in a few
places.
* mime_all_headers loops and could potentially be a bad idea. More prone
to DoS as well. Delete it?
* mime_all_data is probably also a bad idea. Especially for large files.
Delete it?
* mime_entity_data seems very similar to mime_all_data and is not chunked
as the similarity to the http_entity_data would imply. The current
mime_entity_data should be removed and the current mime_all_data should be
renamed to mime_entity_data.
* mime_next_entity is never generated by the core or policy scripts and
should either be fixed or deleted.
* mime_one_header should probably be renamed to mime_header for
consistency.
* I have no clue what mime_event is for. Is it necessary?
* mime_content_hash gives a non printable hash value and it could be
removed since hash generation is done in the script now and eventually
will be done in the file analyzer.
* The wrong ifdef is used in the source: #ifdef DEBUG_BRO used instead of
#ifdef DEBUG
* mime_end_entity is generated generated multiple times in some cases when
it shouldn't be. It's something to keep an eye out for, I never dug into
it enough to find out what caused it.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/465>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#524: Bro fuzz testing
--------------------+------------------------
Reporter: gregor | Owner:
Type: Task | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version: git/master
Keywords: |
--------------------+------------------------
As part of Bro's regular testing we should probably also to some fuzzing.
Good starting points might be:
* http://wiki.wireshark.org/FuzzTesting
* http://code.google.com/p/capouik/ (this one maybe not so much)
The wireshark tools can probably be used with very little modification.
However, one worthwhile addition might be to make the tools preserve the
first n bytes of a packet and then start the fuzzing afterwards (e.g., to
only fuzz after the IP header or such).
(Not sure whether this should be milestone 1.6 or 1.7)
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/524>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#496: bro -H undocumented
---------------------+-----------------
Reporter: vern | Owner:
Type: Problem | Status: new
Priority: Low | Milestone:
Component: Bro | Version:
Keywords: |
---------------------+-----------------
I wanted to get help output so I ran `bro -H` (misremembering that it's
instead `-h`). Bro just sat there waiting for input from stdin, even
though `bro -h` indicates there's no such flag as `-H`. Turns out it's an
alias for `--save-seeds`. Seems we should either remove the alias (my
vote), or make sure it appears in the `-h` output.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/496>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#523: event new_packet does not support IPv6
---------------------+------------------------
Reporter: gregor | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version: git/master
Keywords: IPv6 |
---------------------+------------------------
The new_packet event is only raised for IPv4 packets. More generally every
event that uses either the pkt_hdr or the ip_hdr records might have the
same problem.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/523>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#522: Event to report non TCP/UDP/ICMP packets
---------------------+------------------------
Reporter: gregor | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version: git/master
Keywords: IPv6 |
---------------------+------------------------
Hi,
it might be useful to have an event that fires if an IP packet does not
contain TCP, UDP or ICMP, i.e., it either has a different IP protocol
number or for IPv6 it might be some sort of extension header.
Currently Bro silently ignores these packets.
See NetSessions::DoNextPacket()
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/522>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#464: Bug with complex data structures
---------------------+--------------------
Reporter: seth | Owner:
Type: Problem | Status: new
Priority: High | Milestone: Bro1.6
Component: Bro | Version:
Keywords: |
---------------------+--------------------
This script:
{{{
type MetaData: record {
a: count;
tags: set[string];
};
global ip_data: table[addr] of set[MetaData] = table();
local m: MetaData = [$a=4, $tags=set("blah")];
if ( 1.2.3.4 !in ip_data )
ip_data[1.2.3.4] = set(m);
else
add ip_data[1.2.3.4][m];
}}}
Results in this error:
{{{
1306867820.149493 <no location> and ./test29.bro, line 10
([a=4, tags={blah}] and list of record { a:count; tags:set[string]; }):
error, index type doesn't match table
}}}
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/464>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker