zeek-dev September 2011

zeek-dev@lists.zeek.org

139 discussions

[Bro-Dev] #478: Move BinPAC docs over to new server

by Bro Tracker

#478: Move BinPAC docs over to new server ----------------------------+-------------------- Reporter: robin | Owner: seth Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Website / Wiki | Version: Keywords: | ----------------------------+-------------------- There's some BinPAC documentation in the old Wiki that we should move over. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/478> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 4 months

[Bro-Dev] #474: &raw_output turns null values into \0

by Bro Tracker

#474: &raw_output turns null values into \0 ---------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: | ---------------------+-------------------- Files with the raw_output attribute shouldn't do any interpretation to the data. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/474> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 6 months

[Bro-Dev] #579: Syslog logging writer

by Bro Tracker

#579: Syslog logging writer ---------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ Martin has completely convinced me of the need for this. I don't know about timeline we should put on it though. The one thought I have about it is that it needs to use TCP due to extremely long lines that Bro logs tend to have. I think it would be ok for it to have the same output rendering that the LogAscii writer has. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/579> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 7 months

[Bro-Dev] #584: DNS TXT record lookup bif

by Bro Tracker

#584: DNS TXT record lookup bif -----------------------------+-------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: Keywords: | -----------------------------+-------------------- We need a lookup_txt bif like the lookup_name and lookup_host bifs. It would make two things possible: 1. Improved integration with Team Cymru's malware hash registry. 2. Integration with Google's Certificate Catalog to find "bad" certs. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/584> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 7 months

[Bro-Dev] #578: Add ICMPv6 support to Bro

by Bro Tracker

#578: Add ICMPv6 support to Bro ---------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: git/master Keywords: IPv6 | ---------------------+------------------------ Bro currently does not handle ICMPv6 at all (one reason being that Bro ignore IP protocol 58 which is ipv6-icmp) -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/578> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 11 months

[Bro-Dev] #603: Checking correctness of logs

by Bro Tracker

#603: Checking correctness of logs ------------------------+-------------------- Reporter: robin | Type: Task Status: new | Priority: Normal Milestone: Bro1.6 | Component: Bro Version: git/master | ------------------------+-------------------- Before we release the final 2.0, we really need to do a rather thorough check of the logs to make sure they are correct. The way I picture doing that is that everybody picks connections at random and manually checks that the logs report what he'd expect from examining the raw payload with tcdpump/wireshark/strings/whatever. That's pretty painful but I don't really see a better way. Thoughts welcome. -- Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/603> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 11 months

[Bro-Dev] #576: Conn.log does not use well known ports for service field anymore

by Bro Tracker

#576: Conn.log does not use well known ports for service field anymore -----------------------------+-------------------- Reporter: gregor | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: BETA | -----------------------------+-------------------- The new conn.log does not use well known ports for the service field anymore. I actually found this feature quite convenient to have. Can we get it back? Maybe by adding an additional column that specifies whether the service field is derived from DPD or port based. Or we have a "dpd_service" column and a "port_service" column. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/576> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 11 months

[Bro-Dev] #519: policy/protocols/http/headers.bro only logs client headers

by Bro Tracker

#519: policy/protocols/http/headers.bro only logs client headers ---------------------+-------------------- Reporter: vern | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: | ---------------------+-------------------- In Bro 1.5, policy/http-header.bro logs both client and server headers. The new http/headers.bro only logs client headers, which breaks some forms of analysis. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/519> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 11 months

[Bro-Dev] #566: Binpac analyzers and content gaps

by Bro Tracker

#566: Binpac analyzers and content gaps ---------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.7 Component: BinPAC | Version: git/master Keywords: | ---------------------+------------------------ Binpac analyzers generally do not handle content gaps. In some cases content gaps might even lead to excessive memory usage (See #565). It's possible to work around this by checking whether there was a gap and not delivering any more data to binpac if there was. However, I think that maybe binpac should handle this directly. After all, there's a NewGap() method in binpac.... (We might also want to not address this issue and wait for binpac++ to solve issues like that) -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/566> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 11 months

[Bro-Dev] #610: topic/seth/syslog-analyzer-updates - Updates for syslog analyzer

by Bro Tracker

#610: topic/seth/syslog-analyzer-updates - Updates for syslog analyzer ---------------------------+-------------------- Reporter: seth | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: beta | ---------------------------+-------------------- - Supports "Octet Stuffing" mode for Syslog over TCP (untested!). If someone has a tracefile with TCP syslog, I'd appreciate getting a few packets. - DPD support for syslog. Calls ProtocolConfirmation when detected and includes signatures for UDP and TCP syslog. - Removing newlines and nulls from EOL when syslog implementation has included those in the actual message. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/610> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 11 months

Jump to page:

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

zeek-dev September 2011