#1010: BroControl plugin for adding environment variables
-----------------------------+------------------------
Reporter: seth | Owner: dnthayer
Type: Feature Request | Status: new
Priority: Medium | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: |
-----------------------------+------------------------
We should have the ability to add environment variables to Bro at start up
time. The option should be available globally in broctl.cfg and per-node
in node.cfg. The environments variables should be applied to the process
with priority based on how specific the variable is applied (per-node
variables defined after global variables so that the per-node variable is
used).
As a name suggestion for the configuration option: env_vars (same name in
node.cfg and broctl.cfg).
--
Ticket URL: <http://tracker.bro.org/bro/ticket/1010>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#1001: File analysis framework tasks
-------------------+------------------------
Reporter: robin | Owner: jsiwek
Type: Task | Status: new
Priority: Low | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: |
-------------------+------------------------
The core of the framework is merged now, a few remaining TODOs (excluding
any larger script-layer changes Seth plans to do):
- Use just hashes internally for tracking files, not unique strings.
- Remove the script-level data-injection functions, as discussed.
- Hook input framework with file analysis internally, likewise as
discussed.
- Remove postpone_timeout, replace with set_timeout.
- Extend Doxygen comments.
- Once plugin branch is merged:
- move IRC_Data and FTP_Data over to corresponding plugins
- move file_analysis.bif down into file_analysis
- move to new plugin structure and separate out the analyzers
into their own directories.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/1001>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#1002: Merge new thread cleanup code
---------------------+------------------------
Reporter: amannb | Owner:
Type: Problem | Status: new
Priority: Medium | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: |
---------------------+------------------------
topic/bernhard/thread-cleanup contains a change to the thread-cleanup code
which changes how messages are exchanged on thread shutdown.
The biggest change is that now messages from the thread to the parent are
still executed until the child thread returns that it executed the
finished message. That means the child thread can still push all its work
on the queue before it is shut down. Queues are emptied by the parent
thread until they receive the child thread notification that the shutdown
has been processed.
Before this change, all message processing was shut down the moment the
master processed the finish-message, all data still in the queue from
child to parent was lost.
The change does not seem to have any adverse side effects, all tests still
seem to pass.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/1002>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#988: Bug in HTTP body extraction
----------------------+--------------------
Reporter: matthias | Owner: seth
Type: Problem | Status: new
Priority: High | Milestone: Bro2.2
Component: Bro | Version: 2.1
Keywords: |
----------------------+--------------------
There exists a bug in HTTP body extraction that prevents certain bodies
from being dumped, even though having set
{{{
redef extract_file_types = /.*/;
}}}
This happens presumably because Bro does not figure out the correct MIME
type and does not set `c$http$mime_type`. It results in this check
failing:
{{{
if ( c$http?$mime_type && extract_file_types in c$http$mime_type )
{
c$http$extract_file = T;
}
}}}
On a related note, I also find missing responses to HTTP POST requests
which I assume come from the same issues.
I have a trace that I could attach, but wanted to make sure it's worth the
effort in face of the upcoming file analysis framework, or if we plan on
pushing a 2.1 hotfix for this.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/988>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#1006: topic/dnthayer/broctl-testing
---------------------------+------------------------
Reporter: dnthayer | Owner:
Type: Merge Request | Status: new
Priority: Medium | Milestone: Bro2.2
Component: BroControl | Version: git/master
Keywords: |
---------------------------+------------------------
This branch contains an automated test suite for broctl.
Included are tests of all broctl commands and plugins, and
tests that broctl can read all three of its config files
correctly.
All tests rely on btest, and Makefile targets
have been added to run all tests. Each test runs
with its own unique Bro install prefix, so a test
case does not have any affect on any others (the only
exception is a small number of test cases that use
broctl commands that rely on broccoli, but these
have been serialized to avoid problems).
There were two changes to broctl itself needed to support the test suite.
First, the ability to specify the location of the broctl install
via an environment variable (if not defined, then the
hard-coded path is used instead) was added. Another change
was to allow the manager in a cluster to be on localhost
(in that case, all other nodes must also be on localhost).
--
Ticket URL: <http://tracker.bro.org/bro/ticket/1006>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#985: 'tail -f' functionality for file reading in input framework
------------------------+-----------------------------
Reporter: scampbell | Type: Feature Request
Status: new | Priority: Low
Milestone: Bro2.2 | Component: Bro
Version: git/master | Keywords:
------------------------+-----------------------------
With the current input framework, file data -> event translation requires
that the entire data file be read at bro start time. This can be
prohibitive when the file sizes become large ( > 1GB ).
It would be great to see a file open option that would start reading at
the end of the file.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/985>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
The plugin branch is almost ready for merging, except for some
clean-up and missing API docs. It does two things:
(1) Move all protocol analyzers over to new infrastructure code
that's structured around standalone modules (plugins): everything
that's part of an analyzer is now contained to a single directory
(incl. C++ code, bif, pac). Currently all these plugins are still
compiled in statically but in the future (not 2.2) there will also
be an option to compile individual analyzers standalone into
dynamic libraries.
(2) Make analyzer activation/deactivation dynamic, controllable by
function calls via the new analyzer framework (dpd_config is
gone).
In the future, the infrastructure for (1) will also faciliate moving
other components to the plugin-model as well (e.g., readers/writers,
packet sources)
So, my question is if I should go ahead merging this into master for
2.2. At the user-level it doesn't change much other than what relates
to (2), but internally it moves things move around quite a bit,
including renaming analyzers classes and introducing an analyzer
namespace. I think generally that's fine, but let me know what you
think.
Also, there's one particular issue coming with a merge that we would
need to fix: the Broxygen docs for analyzer bifs are now spread out
over many files, and look pretty ugly in the generated pages. I think
what we'll need to do is switching from a purely file-based model to
documenting semantic groups, like a specific analyzer. I don't think
this will actually be too difficult, the plugin infrastructure comes
with "introspection" functinality that gives you all bif elements that
a plugin defines. I believe Broxygen could just go through and turn it
into one corresponding pages (see below for output of the new "-N"
switch that summarizes this information for all available plugins).
However, it's probably still a bit of work to get this into a nice
shape.
So my question is, mostly for Jon: is that something we could tackle
for 2.2 final (during beta would be ok)? If that's too much work to be
realistic, I'm wondering if we should postpone the plugin branch for
2.3.
Robin
--------- cut -------------------------------------------------------
# bro -NN
[...]
Plugin: Bro::FTP - FTP analyzer (built-in)
[Analyzer] FTP (ANALYZER_FTP, enabled)
[Analyzer] FTP_ADAT (enabled)
[Event] ftp_request
[Event] ftp_reply
[Type] ftp_port
[Function] parse_ftp_port
[Function] parse_eftp_port
[Function] parse_ftp_pasv
[Function] parse_ftp_epsv
[Function] fmt_ftp_port
[...]
--
Robin Sommer * Phone +1 (510) 722-6541 * robin(a)icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin
#983: Deep typing bug
---------------------+------------------------
Reporter: seth | Owner:
Type: Problem | Status: new
Priority: High | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: |
---------------------+------------------------
This looks like an issue where the automatic typing is digging down one
layer (beyond the set to the first record) but then doesn't auto type the
record a layer deeper and gives an error. This is kind of a major
usability issue for the 2.2 release because of how the vulnerable software
version script works.
Example script:
{{{
@load frameworks/software/vulnerable
redef Software::vulnerable_versions += {
["Java"] = set([$max=[$major=1,$minor=5,$minor2=999]],
[$min=[$major=1,$minor=6],
$max=[$major=1,$minor=6,$minor2=0,$minor3=43]],
[$min=[$major=1,$minor=7],
$max=[$major=1,$minor=7,$minor2=0,$minor3=20]])
};
}}}
Gives the output:
{{{
error in ./test-vuln.bro, line 3: type error in initialization
([$max=[$major=1, $minor=5, $minor2=999]], [$min=[$major=1, $minor=6],
$max=[$major=1, $minor=6, $minor2=0, $minor3=43]], [$min=[$major=1,
$minor=7], $max=[$major=1, $minor=7, $minor2=0, $minor3=20]])
}}}
--
Ticket URL: <http://tracker.bro.org/bro/ticket/983>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
#1012: RIP Analyzer
------------------------+-------------------
Reporter: nicolas | Type: Patch
Status: new | Priority: Low
Milestone: Bro2.2 | Component: Bro
Version: git/master | Keywords:
------------------------+-------------------
I wrote some code lignes to see how binpac works, it is an RIPv2 Analyzer.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/1012>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
