#478: Move BinPAC docs over to new server
----------------------------+--------------------
Reporter: robin | Owner: seth
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Website / Wiki | Version:
Keywords: |
----------------------------+--------------------
There's some BinPAC documentation in the old Wiki that we should move
over.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/478>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#579: Syslog logging writer
---------------------+------------------------
Reporter: seth | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version: git/master
Keywords: |
---------------------+------------------------
Martin has completely convinced me of the need for this. I don't know
about timeline we should put on it though. The one thought I have about
it is that it needs to use TCP due to extremely long lines that Bro logs
tend to have. I think it would be ok for it to have the same output
rendering that the LogAscii writer has.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/579>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#584: DNS TXT record lookup bif
-----------------------------+--------------------
Reporter: seth | Owner:
Type: Feature Request | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version:
Keywords: |
-----------------------------+--------------------
We need a lookup_txt bif like the lookup_name and lookup_host bifs. It
would make two things possible:
1. Improved integration with Team Cymru's malware hash registry.
2. Integration with Google's Certificate Catalog to find "bad" certs.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/584>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#578: Add ICMPv6 support to Bro
---------------------+------------------------
Reporter: gregor | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version: git/master
Keywords: IPv6 |
---------------------+------------------------
Bro currently does not handle ICMPv6 at all (one reason being that Bro
ignore IP protocol 58 which is ipv6-icmp)
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/578>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#603: Checking correctness of logs
------------------------+--------------------
Reporter: robin | Type: Task
Status: new | Priority: Normal
Milestone: Bro1.6 | Component: Bro
Version: git/master |
------------------------+--------------------
Before we release the final 2.0, we really need to do a rather
thorough check of the logs to make sure they are correct. The way I
picture doing that is that everybody picks connections at random and
manually checks that the logs report what he'd expect from examining
the raw payload with tcdpump/wireshark/strings/whatever. That's pretty
painful but I don't really see a better way. Thoughts welcome.
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/603>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#576: Conn.log does not use well known ports for service field anymore
-----------------------------+--------------------
Reporter: gregor | Owner:
Type: Feature Request | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version:
Keywords: BETA |
-----------------------------+--------------------
The new conn.log does not use well known ports for the service field
anymore. I actually found this feature quite convenient to have. Can we
get it back? Maybe by adding an additional column that specifies whether
the service field is derived from DPD or port based. Or we have a
"dpd_service" column and a "port_service" column.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/576>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#519: policy/protocols/http/headers.bro only logs client headers
---------------------+--------------------
Reporter: vern | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version:
Keywords: |
---------------------+--------------------
In Bro 1.5, policy/http-header.bro logs both client and server headers.
The new http/headers.bro only logs client headers, which breaks some forms
of analysis.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/519>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#566: Binpac analyzers and content gaps
---------------------+------------------------
Reporter: gregor | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.7
Component: BinPAC | Version: git/master
Keywords: |
---------------------+------------------------
Binpac analyzers generally do not handle content gaps. In some cases
content gaps might even lead to excessive memory usage (See #565). It's
possible to work around this by checking whether there was a gap and not
delivering any more data to binpac if there was. However, I think that
maybe binpac should handle this directly. After all, there's a NewGap()
method in binpac....
(We might also want to not address this issue and wait for binpac++ to
solve issues like that)
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/566>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#610: topic/seth/syslog-analyzer-updates - Updates for syslog analyzer
---------------------------+--------------------
Reporter: seth | Owner:
Type: Merge Request | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version:
Keywords: beta |
---------------------------+--------------------
- Supports "Octet Stuffing" mode for Syslog over TCP (untested!). If
someone has a tracefile with TCP syslog, I'd appreciate getting a
few packets.
- DPD support for syslog. Calls ProtocolConfirmation when detected
and
includes signatures for UDP and TCP syslog.
- Removing newlines and nulls from EOL when syslog implementation has
included those in the actual message.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/610>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker