[ https://bro-tracker.atlassian.net/browse/BIT-1090?page=com.atlassian.jira.p… ]
tyler.schoenke commented on BIT-1090:
-------------------------------------
Hi Seth,
I think you missed the part below where I said I modified the data structure to be a set of subnets. Devices connecting to gihub has been firing the alert. Since github has multiple IP ranges, I needed a set of subnets in order to effectively whitelist. Once this is working, I think this change would be a good enhancement request for the existing detect-bruteforcing script.
Tyler
> fatal error Val::CONVERTER
> --------------------------
>
> Key: BIT-1090
> URL: https://bro-tracker.atlassian.net/browse/BIT-1090
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.1
> Environment: Ubuntu 10.04.03 LTS, bro 2.1-179
> Reporter: tyler.schoenke
> Attachments: my-detect-bruteforcing.bro, sigsup-ssh-pass2.bro
>
>
> Hi guys,
> I get the following message when I modified a data structure in detect-bruteforcing.bro. I didn't get a chance to test against the current version, but did a quick check against the mailing lists and tracker and didn't see this issue mentioned.
> $ bro my-detect-bruteforcing.bro sigsup-ssh-pass2.bro
> fatal error in ./sigsup-ssh-pass2.bro, line 2: Val::CONVERTER (types/table) (10.0.0.1/32)
> Here is the modification to detect-bruteforcing.bro:
> const ignore_guessers: table[subnet] of set[subnet] = {} &redef;
> I found the need to whitelist from a single host to multiple subnets instead of a single subnet. The following minimal script will produce the error.
> cat sigsup-ssh-pass2.bro
> redef SSH::ignore_guessers = {
> [172.0.0.0/16] = set( 10.0.0.1/32 )
> };
> Any help would be appreciated.
> Thanks,
> Tyler
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
[ https://bro-tracker.atlassian.net/browse/BIT-1090?page=com.atlassian.jira.p… ]
Seth Hall commented on BIT-1090:
--------------------------------
That syntax is wrong, use...
redef SSH::ignore_guessers += {
[172.0.0.0/16] = 10.0.0.1/32,
[192.168.1.0/16] = 192.168.2.0/32
};
Also, the yield value for that table is just a subnet. Not a set of subnets.
> fatal error Val::CONVERTER
> --------------------------
>
> Key: BIT-1090
> URL: https://bro-tracker.atlassian.net/browse/BIT-1090
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.1
> Environment: Ubuntu 10.04.03 LTS, bro 2.1-179
> Reporter: tyler.schoenke
> Attachments: my-detect-bruteforcing.bro, sigsup-ssh-pass2.bro
>
>
> Hi guys,
> I get the following message when I modified a data structure in detect-bruteforcing.bro. I didn't get a chance to test against the current version, but did a quick check against the mailing lists and tracker and didn't see this issue mentioned.
> $ bro my-detect-bruteforcing.bro sigsup-ssh-pass2.bro
> fatal error in ./sigsup-ssh-pass2.bro, line 2: Val::CONVERTER (types/table) (10.0.0.1/32)
> Here is the modification to detect-bruteforcing.bro:
> const ignore_guessers: table[subnet] of set[subnet] = {} &redef;
> I found the need to whitelist from a single host to multiple subnets instead of a single subnet. The following minimal script will produce the error.
> cat sigsup-ssh-pass2.bro
> redef SSH::ignore_guessers = {
> [172.0.0.0/16] = set( 10.0.0.1/32 )
> };
> Any help would be appreciated.
> Thanks,
> Tyler
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
[ https://bro-tracker.atlassian.net/browse/BIT-1093?page=com.atlassian.jira.p… ]
Jon Siwek updated BIT-1093:
---------------------------
Status: Closed (was: Reopened)
> topic/jsiwek/thread-termination
> -------------------------------
>
> Key: BIT-1093
> URL: https://bro-tracker.atlassian.net/browse/BIT-1093
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Jon Siwek
> Assignee: Robin Sommer
> Fix For: 2.2
>
>
> The change in this branch should fix the case where the last remaining done/killed thread never got processed (main thread never received pending messages from it or joined/deleted it) until Bro terminates. Which was problematic if the termination condition depended on processing messages from the last remaining thread.
> The new code's logic is contrary to what it used to be, but I can't figure out what the old was trying to accomplish and think it could only have caused problems.
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
[ https://bro-tracker.atlassian.net/browse/BIT-1093?page=com.atlassian.jira.p… ]
Jon Siwek commented on BIT-1093:
--------------------------------
{{testing/btst/scripts/base/frameworks/input/missing-file.bro}} seems to at least be checking part of the problem mentioned in BIT-858. And I don't think that this conflicts with what was addressed there. Here's an abbreviated history of "thread termination":
743fc1680dc9d4c04f38ca80c7ef4e5b88e8f4cb
- threading::Manager::Process() and threading::Manager::NextTimestamp() both check for "{{&& ! t->Killed()}}"
- The assumption is that you're not allowed to read from a "dead" thread's queue and threads are only cleaned up in threading::Manager::Terminate()
38e1dc9ca47d97508276a2f7192c5353bb8e6837
- threading::Manager::Process() can now also clean up dead threads
b947394990720032ac7f374f7c9d1902ed4485b9
- Reading from a dead thread's queue is now supported
- "{{&& ! t->Killed()}}" check is removed from threading::Manager::Process() to allow flushing out a dead thread's queue before cleaning it up, but the check still remains in threading::Manager::NextTimestamp()
To me, looks like the NextTimestamp code just didn't evolve w/ the rest.
> topic/jsiwek/thread-termination
> -------------------------------
>
> Key: BIT-1093
> URL: https://bro-tracker.atlassian.net/browse/BIT-1093
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Jon Siwek
> Assignee: Robin Sommer
> Fix For: 2.2
>
>
> The change in this branch should fix the case where the last remaining done/killed thread never got processed (main thread never received pending messages from it or joined/deleted it) until Bro terminates. Which was problematic if the termination condition depended on processing messages from the last remaining thread.
> The new code's logic is contrary to what it used to be, but I can't figure out what the old was trying to accomplish and think it could only have caused problems.
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
[ https://bro-tracker.atlassian.net/browse/BIT-1090?page=com.atlassian.jira.p… ]
tyler.schoenke commented on BIT-1090:
-------------------------------------
I set up the file without the redef, and formatted it as you specified.
$ cat sigsup-ssh-pass3.bro
SSH::ignore_guessers[172.0.0.0/16] = set( 10.0.0.1/32 );
SSH::ignore_guessers[192.168.1.0/16] = set( 192.168.2.0/32 );
That got rid of the fatal error, but it looks like the array is empty. Maybe the -I option is showing the value of the array before it gets populated by the bro script?
$ bro my-detect-bruteforcing.bro sigsup-ssh-pass3.bro -I SSH::ignore_guessers;
SSH::ignore_guessers : table[subnet] of set[subnet] = {
} &redef
Tyler
> fatal error Val::CONVERTER
> --------------------------
>
> Key: BIT-1090
> URL: https://bro-tracker.atlassian.net/browse/BIT-1090
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.1
> Environment: Ubuntu 10.04.03 LTS, bro 2.1-179
> Reporter: tyler.schoenke
> Attachments: my-detect-bruteforcing.bro, sigsup-ssh-pass2.bro
>
>
> Hi guys,
> I get the following message when I modified a data structure in detect-bruteforcing.bro. I didn't get a chance to test against the current version, but did a quick check against the mailing lists and tracker and didn't see this issue mentioned.
> $ bro my-detect-bruteforcing.bro sigsup-ssh-pass2.bro
> fatal error in ./sigsup-ssh-pass2.bro, line 2: Val::CONVERTER (types/table) (10.0.0.1/32)
> Here is the modification to detect-bruteforcing.bro:
> const ignore_guessers: table[subnet] of set[subnet] = {} &redef;
> I found the need to whitelist from a single host to multiple subnets instead of a single subnet. The following minimal script will produce the error.
> cat sigsup-ssh-pass2.bro
> redef SSH::ignore_guessers = {
> [172.0.0.0/16] = set( 10.0.0.1/32 )
> };
> Any help would be appreciated.
> Thanks,
> Tyler
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
[ https://bro-tracker.atlassian.net/browse/BIT-1093?page=com.atlassian.jira.p… ]
Robin Sommer updated BIT-1093:
------------------------------
Status: Reopened (was: Closed)
> topic/jsiwek/thread-termination
> -------------------------------
>
> Key: BIT-1093
> URL: https://bro-tracker.atlassian.net/browse/BIT-1093
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Jon Siwek
> Assignee: Robin Sommer
> Fix For: 2.2
>
>
> The change in this branch should fix the case where the last remaining done/killed thread never got processed (main thread never received pending messages from it or joined/deleted it) until Bro terminates. Which was problematic if the termination condition depended on processing messages from the last remaining thread.
> The new code's logic is contrary to what it used to be, but I can't figure out what the old was trying to accomplish and think it could only have caused problems.
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
[ https://bro-tracker.atlassian.net/browse/BIT-1093?page=com.atlassian.jira.p… ]
Robin Sommer updated BIT-1093:
------------------------------
Resolution: Merged (was: Fixed)
Status: Closed (was: Merge Request)
> topic/jsiwek/thread-termination
> -------------------------------
>
> Key: BIT-1093
> URL: https://bro-tracker.atlassian.net/browse/BIT-1093
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Jon Siwek
> Assignee: Robin Sommer
> Fix For: 2.2
>
>
> The change in this branch should fix the case where the last remaining done/killed thread never got processed (main thread never received pending messages from it or joined/deleted it) until Bro terminates. Which was problematic if the termination condition depended on processing messages from the last remaining thread.
> The new code's logic is contrary to what it used to be, but I can't figure out what the old was trying to accomplish and think it could only have caused problems.
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
[ https://bro-tracker.atlassian.net/browse/BIT-1093?page=com.atlassian.jira.p… ]
Robin Sommer commented on BIT-1093:
-----------------------------------
I've merged it but reopening for the double-check.
> topic/jsiwek/thread-termination
> -------------------------------
>
> Key: BIT-1093
> URL: https://bro-tracker.atlassian.net/browse/BIT-1093
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Jon Siwek
> Assignee: Robin Sommer
> Fix For: 2.2
>
>
> The change in this branch should fix the case where the last remaining done/killed thread never got processed (main thread never received pending messages from it or joined/deleted it) until Bro terminates. Which was problematic if the termination condition depended on processing messages from the last remaining thread.
> The new code's logic is contrary to what it used to be, but I can't figure out what the old was trying to accomplish and think it could only have caused problems.
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
[ https://bro-tracker.atlassian.net/browse/BIT-1093?page=com.atlassian.jira.p… ]
Robin Sommer commented on BIT-1093:
-----------------------------------
I looked up when the original "{{&& ! Killed()}}" code got introduced, that was in 743fc1680dc9d4c04f38ca80c7ef4e5b88e8f4cb and the commit message points to BIT-858. Can you take a look and double-check that the problem described there is still addressed with the new version to be sure we don't introduce a regression? (Not immediately sure if we have a test that covers that).
> topic/jsiwek/thread-termination
> -------------------------------
>
> Key: BIT-1093
> URL: https://bro-tracker.atlassian.net/browse/BIT-1093
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Jon Siwek
> Assignee: Robin Sommer
> Fix For: 2.2
>
>
> The change in this branch should fix the case where the last remaining done/killed thread never got processed (main thread never received pending messages from it or joined/deleted it) until Bro terminates. Which was problematic if the termination condition depended on processing messages from the last remaining thread.
> The new code's logic is contrary to what it used to be, but I can't figure out what the old was trying to accomplish and think it could only have caused problems.
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)