zeek-dev October 2012

zeek-dev@lists.zeek.org

82 discussions

[Bro-Dev] #866: Problem with set initializers

by Bro Tracker

#866: Problem with set initializers ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: language | ----------------------+------------------------ This code doesn't work: {{{ const blah: set[string] = set("test1") &redef; redef blah += { "test2", "test3", }; }}} But this does: {{{ const blah: set[string] = { "test1" } &redef; redef blah += { "test2", "test3", }; }}} There is definitely still some trouble with the two different set initializers. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/866> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 5 months

[Bro-Dev] #696: broctl dumps python traceback information when bro is communicating with other worker nodes and quits

by Bro Tracker

#696: broctl dumps python traceback information when bro is communicating with other worker nodes and quits ---------------------+--------------------- Reporter: aashish | Type: Problem Status: new | Priority: Normal Milestone: | Component: Bro Version: 1.5.3 | Keywords: ---------------------+--------------------- broctl dumps python traceback information when bro is communicating (ssh) with other worker nodes and this continues until the ssh connection is over. $ broctl check Traceback (most recent call last): File "/home/users/bro/cluster/bin/broctl", line 726, in <module> loop.onecmd(line) File "/usr/local/lib/python2.6/cmd.py", line 219, in onecmd return func(arg) File "/home/users/bro/cluster/bin/broctl", line 359, in do_check self.lock() File "/home/users/bro/cluster/bin/broctl", line 96, in lock if not util.lock(): File "/home/users/bro/cluster/lib/broctl/BroControl/util.py", line 180, in lock if do_ouput: NameError: global name 'do_ouput' is not defined Process info as follows: [bro@host]$ ps auxwww | fgrep bro bro 12704 1.6 0.2 10208 6676 ?? D 2:30PM 0:01.85 python /home/users/bro/cluster/bin/broctl cron bro 12613 0.0 0.1 4464 1716 ?? Is 2:30PM 0:00.01 /bin/csh -c /home/users/bro/cluster/bin/broctl cron bro 12743 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.00 /bin/sh -c sh bro 12745 0.0 0.0 3464 1120 ?? I 2:30PM 0:00.00 sh bro 12755 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.01 /bin/sh -c ssh -o ConnectTimeout=30 -l bro bc2-proxy sh bro 12757 0.0 0.1 5560 2644 ?? I 2:30PM 0:00.03 ssh -o ConnectTimeout=30 -l bro bc2-proxy sh bro 12766 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.00 /bin/sh -c ssh -o ConnectTimeout=30 -l bro bc2-01 sh bro 12768 0.0 0.1 5560 2644 ?? I 2:30PM 0:00.03 ssh -o ConnectTimeout=30 -l bro bc2-01 sh bro 12772 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.00 /bin/sh -c ssh -o ConnectTimeout=30 -l bro bc2-10 sh bro 12774 0.0 0.1 5560 2644 ?? I 2:30PM 0:00.03 ssh -o ConnectTimeout=30 -l bro bc2-10 sh bro 12779 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.00 /bin/sh -c ssh -o ConnectTimeout=30 -l bro bc2-02 sh bro 12781 0.0 0.1 5560 2644 ?? I 2:30PM 0:00.03 ssh -o ConnectTimeout=30 -l bro bc2-02 sh bro 12793 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.00 /bin/sh -c ssh -o ConnectTimeout=30 -l bro bc2-03 sh bro 12795 0.0 0.1 5560 2644 ?? I 2:30PM 0:00.03 ssh -o ConnectTimeout=30 -l bro bc2-03 sh bro 12798 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.00 /bin/sh -c ssh -o ConnectTimeout=30 -l bro bc2-04 sh bro 12800 0.0 0.1 5560 2644 ?? I 2:30PM 0:00.03 ssh -o ConnectTimeout=30 -l bro bc2-04 sh bro 12803 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.00 /bin/sh -c ssh -o ConnectTimeout=30 -l bro bc2-05 sh bro 12805 0.0 0.1 5560 2644 ?? I 2:30PM 0:00.04 ssh -o ConnectTimeout=30 -l bro bc2-05 sh bro 12815 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.00 /bin/sh -c ssh -o ConnectTimeout=30 -l bro bc2-06 sh bro 12817 0.0 0.1 5560 2644 ?? I 2:30PM 0:00.04 ssh -o ConnectTimeout=30 -l bro bc2-06 sh bro 12820 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.00 /bin/sh -c ssh -o ConnectTimeout=30 -l bro bc2-07 sh bro 12822 0.0 0.1 5560 2644 ?? I 2:30PM 0:00.03 ssh -o ConnectTimeout=30 -l bro bc2-07 sh bro 12825 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.00 /bin/sh -c ssh -o ConnectTimeout=30 -l bro bc2-08 sh bro 12827 0.0 0.1 5560 2644 ?? I 2:30PM 0:00.03 ssh -o ConnectTimeout=30 -l bro bc2-08 sh bro 12830 0.0 0.0 3464 1120 ?? Is 2:30PM 0:00.00 /bin/sh -c ssh -o ConnectTimeout=30 -l bro bc2-09 sh bro 12831 0.0 0.1 5560 2644 ?? I 2:30PM 0:00.03 ssh -o ConnectTimeout=30 -l bro bc2-09 sh -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/696> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 5 months

[Bro-Dev] #870: Merge Modbus analyzer

by Bro Tracker

#870: Merge Modbus analyzer ---------------------------+------------------------ Reporter: robin | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ In Dina's branch {{{topic/dina/modbus}}}. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/870> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 6 months

[Bro-Dev] #908: Need for function bytestring_to_double

by Bro Tracker

#908: Need for function bytestring_to_double ------------------------+----------------------------- Reporter: carsten | Type: Feature Request Status: new | Priority: Normal Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: ------------------------+----------------------------- Hi, for my analysis I need a function to interpret a 8-byte bytestring from network traffic as a double value. Such function is currently missing from bro.bif. The attached addition to bro.bif works for me. Would be nice if you could include it in the regular release. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/908> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 6 months

[Bro-Dev] #914: topic/seth/intel-framework

by Bro Tracker

#914: topic/seth/intel-framework ---------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ This is ready for an initial merge. It's fully functional and being tested on live traffic at a few sites now. There are a couple of core features missing still: - Intelligence handling policy. - Whitelisting (like marking data as a false positive) -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/914> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 6 months

[Bro-Dev] #579: Syslog logging writer

by Bro Tracker

#579: Syslog logging writer ---------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ Martin has completely convinced me of the need for this. I don't know about timeline we should put on it though. The one thought I have about it is that it needs to use TCP due to extremely long lines that Bro logs tend to have. I think it would be ok for it to have the same output rendering that the LogAscii writer has. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/579> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 6 months

[Bro-Dev] #857: Change capture port in HTTP analyzer from 3138/tcp instead of 3128/tcp

by Bro Tracker

#857: Change capture port in HTTP analyzer from 3138/tcp instead of 3128/tcp ------------------------+--------------------- Reporter: aashish | Type: Problem Status: new | Priority: High Milestone: | Component: Bro Version: git/master | Keywords: ------------------------+--------------------- Port definitions in main.bro in ../share/bro/base/protocols/http/main.bro has 3138/tcp defined in structures "ports", "likely_server_ports" and "capture_filters" This should be 3128/tcp to capture traffic for squid proxy. Config below: # DPD configuration. const ports = { 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, 8000/tcp, 8080/tcp, 8888/tcp, }; redef dpd_config += { [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports], }; redef capture_filters += { ["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)" }; redef likely_server_ports += { 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, 8000/tcp, 8080/tcp, 8888/tcp, }; -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/857> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 6 months

[Bro-Dev] #584: DNS TXT record lookup bif

by Bro Tracker

#584: DNS TXT record lookup bif -----------------------------+-------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: Keywords: | -----------------------------+-------------------- We need a lookup_txt bif like the lookup_name and lookup_host bifs. It would make two things possible: 1. Improved integration with Team Cymru's malware hash registry. 2. Integration with Google's Certificate Catalog to find "bad" certs. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/584> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 6 months

Re: [Bro-Dev] DNS TXT Queries and the Cache File

by Vlad Grigorescu

Sorry for the huge delay in getting this out there - it just fell on the back burner. I've put my code up at <https://github.com/grigorescu/bro/tree/topic/vladg/dns_txt_queries>. The changes weren't terribly significant. It adds lookup_hostname_txt: > when (local result = lookup_hostname_txt("733a48a9cb49651d72fe824ca91e8d00.malware.hash.cymru.com")) > print result; Please let me know if anyone sees any issues. There is a save TXT function, but there is no capability to read the data back from a file, as I mentioned. If someone wants to take a stab to getting that working properly, please feel free. Otherwise, let me know and I'll remove the save function. Thanks, --Vlad On Aug 30, 2012, at 11:38 AM, Robin Sommer <robin(a)icir.org> wrote: > Cool, thanks for working on this, Vlad. > > On Thu, Aug 30, 2012 at 05:04 -0500, you wrote: > >> As the previous poor soul to touch that code, I wouldn't mind looking at >> what you've got so far and then attempting to add the caching support. > > If the caching is trikcy to get in (or makes the code even worse ...), > we can indeed skip it. The main reason for having the caching at all > is DNS names embedded in scripts (e.g., code of the form "set[addr] = > { foo.bar }"). Bro looks these up once at startup and that can > potentially take a while if there are a lot or responses are coming in > slowly. So what one can do is "prime" the cache first, so that the > next time Bro starts up, it doesn't need to do the lookups. That was > more important in the Old Days though when people restarted Bro once a > day to flush state and that had to be fast. > > This is all not relevant to TXT records. And, in fact, I've already > been wondering if we can get rid of the cache altogether to simplify > the DNS code. > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > _______________________________________________ > bro-dev mailing list > bro-dev(a)bro-ids.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

9 years, 6 months

[Bro-Dev] #913: Option to specify interface in bro-aux/rst

by Bro Tracker

#913: Option to specify interface in bro-aux/rst ------------------------+------------------------------- Reporter: grigorescu | Type: Merge Request Status: new | Priority: Normal Milestone: Bro2.2 | Component: bro-aux Version: git/master | Keywords: aux rst interface ------------------------+------------------------------- I needed to be able to set the interface used to inject RST packets with the rst aux utility. I made a couple of changes to add this ability to rst. Please see attached patch. -- Ticket URL: <http://tracker.bro-ids.org/bro/ticket/913> Bro Tracker <http://tracker.bro-ids.org/bro> Bro Issue Tracker

9 years, 6 months

← Newer
1
2
3
4
5
6
7
8
9
Older →

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

zeek-dev October 2012