#988: Bug in HTTP body extraction
----------------------+--------------------
Reporter: matthias | Owner: seth
Type: Problem | Status: new
Priority: High | Milestone: Bro2.2
Component: Bro | Version: 2.1
Keywords: |
----------------------+--------------------
There exists a bug in HTTP body extraction that prevents certain bodies
from being dumped, even though having set
{{{
redef extract_file_types = /.*/;
}}}
This happens presumably because Bro does not figure out the correct MIME
type and does not set `c$http$mime_type`. It results in this check
failing:
{{{
if ( c$http?$mime_type && extract_file_types in c$http$mime_type )
{
c$http$extract_file = T;
}
}}}
On a related note, I also find missing responses to HTTP POST requests
which I assume come from the same issues.
I have a trace that I could attach, but wanted to make sure it's worth the
effort in face of the upcoming file analysis framework, or if we plan on
pushing a 2.1 hotfix for this.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/988>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#985: 'tail -f' functionality for file reading in input framework
------------------------+-----------------------------
Reporter: scampbell | Type: Feature Request
Status: new | Priority: Low
Milestone: Bro2.2 | Component: Bro
Version: git/master | Keywords:
------------------------+-----------------------------
With the current input framework, file data -> event translation requires
that the entire data file be read at bro start time. This can be
prohibitive when the file sizes become large ( > 1GB ).
It would be great to see a file open option that would start reading at
the end of the file.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/985>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#983: Deep typing bug
---------------------+------------------------
Reporter: seth | Owner:
Type: Problem | Status: new
Priority: High | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: |
---------------------+------------------------
This looks like an issue where the automatic typing is digging down one
layer (beyond the set to the first record) but then doesn't auto type the
record a layer deeper and gives an error. This is kind of a major
usability issue for the 2.2 release because of how the vulnerable software
version script works.
Example script:
{{{
@load frameworks/software/vulnerable
redef Software::vulnerable_versions += {
["Java"] = set([$max=[$major=1,$minor=5,$minor2=999]],
[$min=[$major=1,$minor=6],
$max=[$major=1,$minor=6,$minor2=0,$minor3=43]],
[$min=[$major=1,$minor=7],
$max=[$major=1,$minor=7,$minor2=0,$minor3=20]])
};
}}}
Gives the output:
{{{
error in ./test-vuln.bro, line 3: type error in initialization
([$max=[$major=1, $minor=5, $minor2=999]], [$min=[$major=1, $minor=6],
$max=[$major=1, $minor=6, $minor2=0, $minor3=43]], [$min=[$major=1,
$minor=7], $max=[$major=1, $minor=7, $minor2=0, $minor3=20]])
}}}
--
Ticket URL: <http://tracker.bro.org/bro/ticket/983>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#970: broctl restart eating logs?
------------------------+-----------------------------
Reporter: robin | Type: Problem
Status: new | Priority: Low
Milestone: Bro2.2 | Component: Bro
Version: git/master | Resolution: Solved/Applied
------------------------+-----------------------------
It looks like "broctl restart" sometimes deletes logs before they get
archived. We need to investigate what might be going on there.
This may or may not be related to the missing support for the old
"--keep-tmp" option. However, it seems to happen without --clear as
well. Aashish can provide details / help test fixes.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/970>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#982: topic/jsiwek/file-analysis
---------------------------+------------------------
Reporter: jsiwek | Owner:
Type: Merge Request | Status: new
Priority: Low | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: |
---------------------------+------------------------
This branch is in `bro`, `cmake`, `bro-testing`, and `bro-testing-private`
repos.
I'm claiming it's "ready" in the sense that "file analysis" functionality
has parity with what was previously offered, but in a more general/robust
way instead of the old method of concentrating logic around protocol
specific events (mime/http entity data).
--
Ticket URL: <http://tracker.bro.org/bro/ticket/982>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#989: topic/dnthayer/cleanup2
---------------------------+------------------------
Reporter: dnthayer | Owner:
Type: Merge Request | Status: new
Priority: Medium | Milestone: Bro2.2
Component: BroControl | Version: git/master
Keywords: |
---------------------------+------------------------
This branch fixes various issues with broctl, including
a few critical fixes for running broctl on OS X,
and more error checks have been added to help
prevent broctl cron from crashing.
Here are the one-line summaries of all commits in this branch:
Check exit status of croncmd
Improve error checking of top helper output
Improve error checking of capstats output
Add more error reporting to broctl cron
Fix a bug when the time command is not found
Fix the broctl top and cron commands on OS X
Fix a couple of bugs in the broctl ps plugin
Remove unused broctl scripts
Improve the check-pid helper script
--
Ticket URL: <http://tracker.bro.org/bro/ticket/989>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#972: Default arguments for functions
-----------------------------+------------------------
Reporter: robin | Owner:
Type: Feature Request | Status: new
Priority: Low | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: |
-----------------------------+------------------------
it would be very convenient to support default arguments for functions,
including for BiFs.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/972>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#976: regex change in syslog-analyzer.pac
------------------------+--------------------
Reporter: aashish | Type: Patch
Status: new | Priority: Medium
Milestone: Bro2.2 | Component: Bro
Version: git/master | Keywords:
------------------------+--------------------
Changing {{{[[:digit:]] to [[:alnum:]]}}} allows to capture windows logs
via syslog analyzer specifically when logs are forwarded via snare.
I can provide a trace, if desired. I tested this change locally and seems
to be working just fine.
{{{
diff --git a/src/syslog-protocol.pac b/src/syslog-protocol.pac
index a2bf8a3..bc6d931 100644
--- a/src/syslog-protocol.pac
+++ b/src/syslog-protocol.pac
@@ -5,7 +5,7 @@ type Syslog_Message = record {
type Syslog_Priority = record {
lt : uint8 &check(lt == "<");
- val : RE/[[:digit:]]+/;
+ val : RE/[[:alnum:]]+/;
gt : uint8 &check(gt == ">");
} &let {
val_length: int = sizeof(val) - 1;
}}}
--
Ticket URL: <http://tracker.bro.org/bro/ticket/976>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#981: &default record only creates one record
------------------------+---------------------
Reporter: dmandelb | Type: Problem
Status: new | Priority: Low
Milestone: Bro2.2 | Component: Bro
Version: git/master | Keywords:
------------------------+---------------------
It seems like when a table's &default is set to a record (either as
returned by copy() or a literal []-expression), only one copy is created
instead of one copy per table entry.
This code
{{{
type Foo: record {
x: count &default=0;
};
global foo: table[count] of Foo = {} &default=[];
print(foo[0]$x);
print(foo[1]$x);
foo[0]$x = 0;
foo[1]$x = 1;
print(foo[0]$x);
print(foo[1]$x);
}}}
prints
{{{
0
0
1
1
}}}
but I think it should print
{{{
0
0
0
1
}}}
--
Ticket URL: <http://tracker.bro.org/bro/ticket/981>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker