#866: Problem with set initializers
----------------------+------------------------
Reporter: seth | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: language |
----------------------+------------------------
This code doesn't work:
{{{
const blah: set[string] = set("test1") &redef;
redef blah += {
"test2",
"test3",
};
}}}
But this does:
{{{
const blah: set[string] = { "test1" } &redef;
redef blah += {
"test2",
"test3",
};
}}}
There is definitely still some trouble with the two different set
initializers.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/866>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#908: Need for function bytestring_to_double
------------------------+-----------------------------
Reporter: carsten | Type: Feature Request
Status: new | Priority: Normal
Milestone: Bro2.2 | Component: Bro
Version: git/master | Keywords:
------------------------+-----------------------------
Hi,
for my analysis I need a function to interpret a 8-byte bytestring from
network traffic as a double value. Such function is currently missing from
bro.bif.
The attached addition to bro.bif works for me.
Would be nice if you could include it in the regular release.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/908>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#914: topic/seth/intel-framework
---------------------------+------------------------
Reporter: seth | Owner: robin
Type: Merge Request | Status: new
Priority: Normal | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: |
---------------------------+------------------------
This is ready for an initial merge. It's fully functional and being
tested on live traffic at a few sites now. There are a couple of core
features missing still:
- Intelligence handling policy.
- Whitelisting (like marking data as a false positive)
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/914>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#579: Syslog logging writer
---------------------+------------------------
Reporter: seth | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version: git/master
Keywords: |
---------------------+------------------------
Martin has completely convinced me of the need for this. I don't know
about timeline we should put on it though. The one thought I have about
it is that it needs to use TCP due to extremely long lines that Bro logs
tend to have. I think it would be ok for it to have the same output
rendering that the LogAscii writer has.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/579>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#857: Change capture port in HTTP analyzer from 3138/tcp instead of 3128/tcp
------------------------+---------------------
Reporter: aashish | Type: Problem
Status: new | Priority: High
Milestone: | Component: Bro
Version: git/master | Keywords:
------------------------+---------------------
Port definitions in main.bro in ../share/bro/base/protocols/http/main.bro
has 3138/tcp defined in structures "ports", "likely_server_ports" and
"capture_filters"
This should be 3128/tcp to capture traffic for squid proxy.
Config below:
# DPD configuration.
const ports = {
80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
8000/tcp, 8080/tcp, 8888/tcp,
};
redef dpd_config += {
[[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports],
};
redef capture_filters += {
["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000
or 8080 or 8888)"
};
redef likely_server_ports += {
80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
8000/tcp, 8080/tcp, 8888/tcp,
};
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/857>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
#584: DNS TXT record lookup bif
-----------------------------+--------------------
Reporter: seth | Owner:
Type: Feature Request | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version:
Keywords: |
-----------------------------+--------------------
We need a lookup_txt bif like the lookup_name and lookup_host bifs. It
would make two things possible:
1. Improved integration with Team Cymru's malware hash registry.
2. Integration with Google's Certificate Catalog to find "bad" certs.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/584>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
Sorry for the huge delay in getting this out there - it just fell on the back burner.
I've put my code up at <https://github.com/grigorescu/bro/tree/topic/vladg/dns_txt_queries>. The changes weren't terribly significant. It adds lookup_hostname_txt:
> when (local result = lookup_hostname_txt("733a48a9cb49651d72fe824ca91e8d00.malware.hash.cymru.com"))
> print result;
Please let me know if anyone sees any issues. There is a save TXT function, but there is no capability to read the data back from a file, as I mentioned. If someone wants to take a stab to getting that working properly, please feel free. Otherwise, let me know and I'll remove the save function.
Thanks,
--Vlad
On Aug 30, 2012, at 11:38 AM, Robin Sommer <robin(a)icir.org> wrote:
> Cool, thanks for working on this, Vlad.
>
> On Thu, Aug 30, 2012 at 05:04 -0500, you wrote:
>
>> As the previous poor soul to touch that code, I wouldn't mind looking at
>> what you've got so far and then attempting to add the caching support.
>
> If the caching is trikcy to get in (or makes the code even worse ...),
> we can indeed skip it. The main reason for having the caching at all
> is DNS names embedded in scripts (e.g., code of the form "set[addr] =
> { foo.bar }"). Bro looks these up once at startup and that can
> potentially take a while if there are a lot or responses are coming in
> slowly. So what one can do is "prime" the cache first, so that the
> next time Bro starts up, it doesn't need to do the lookups. That was
> more important in the Old Days though when people restarted Bro once a
> day to flush state and that had to be fast.
>
> This is all not relevant to TXT records. And, in fact, I've already
> been wondering if we can get rid of the cache altogether to simplify
> the DNS code.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
> _______________________________________________
> bro-dev mailing list
> bro-dev(a)bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
#913: Option to specify interface in bro-aux/rst
------------------------+-------------------------------
Reporter: grigorescu | Type: Merge Request
Status: new | Priority: Normal
Milestone: Bro2.2 | Component: bro-aux
Version: git/master | Keywords: aux rst interface
------------------------+-------------------------------
I needed to be able to set the interface used to inject RST packets with
the rst aux utility. I made a couple of changes to add this ability to
rst. Please see attached patch.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/913>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker