zeek-dev January 2014

zeek-dev@lists.zeek.org

104 discussions

[Bro-Dev] [JIRA] (BIT-1124) process command misplaces custom scripts

by Daniel Thayer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1124?page=com.atlassian.jira.p… ] Daniel Thayer commented on BIT-1124: ------------------------------------ If you run "broctl process" with a custom script, then you need to specify "--" so that broctl knows where the Bro options end and where the custom scripts begin. So your example should be: broctl process trace.pcap -- test.bro Doing so moves test.bro farther down towards the end of the Bro command line. However, in this example we still get a different error, because broctl adds its own script (process-trace.bro, which contains a couple of redefs) at the very end of the Bro command. I will change the order so that the process-trace.bro is before the custom scripts (which solves the syntax error). > process command misplaces custom scripts > ---------------------------------------- > > Key: BIT-1124 > URL: https://bro-tracker.atlassian.net/browse/BIT-1124 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.2 > Reporter: Robin Sommer > > {noformat} > # cat test.bro > @load base/utils/site > print Site::local_nets; > {noformat} > {{broctl process trace.pcap test.bro}} gives: > {noformat} > error in /usr/local/bro-2.2/share/bro/policy/misc/loaded-scripts.bro, line 4: syntax error, at or near “module" > {noformat} > I believe it's due to test.bro being placed in the middle of the command line that {{process}} builds. If I move it to the end, it works fine. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [Auto] Merge Status

by Merge Tracker

Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------------ ---------- ---------- ------------- ---------- ---------------------------------------------------------------- BIT-1125 [1] Bro Jon Siwek - 2014-01-29 2.3 Normal topic/jsiwek/http-file-id-caching [2] BIT-1123 [3] Bro Jeannette Dopheide - 2014-01-29 2.3 Normal topic/jdopheid/bro/edits_to_installation_and_getting_started [4] BIT-1122 [5] Bro Jon Siwek Seth Hall 2014-01-28 2.3 Normal topic/jsiwek/dns-improvements [6] BIT-1119 [7] Bro Jon Siwek - 2014-01-29 2.3 Normal topic/jsiwek/tcp-improvements [8] Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- -------------- ---------- --------------------------------------------- 62b3cb0 [9] bro Bernhard Amann 2014-01-28 Also use exec-module test to check for leaks. [1] BIT-1125 https://bro-tracker.atlassian.net/browse/BIT-1125 [2] http-file-id-caching https://github.com/bro/bro/tree/topic/jsiwek/http-file-id-caching [3] BIT-1123 https://bro-tracker.atlassian.net/browse/BIT-1123 [4] edits_to_installation_and_getting_started https://github.com/bro/bro/tree/topic/jdopheid/bro/edits_to_installation_an… [5] BIT-1122 https://bro-tracker.atlassian.net/browse/BIT-1122 [6] dns-improvements https://github.com/bro/bro/tree/topic/jsiwek/dns-improvements [7] BIT-1119 https://bro-tracker.atlassian.net/browse/BIT-1119 [8] tcp-improvements https://github.com/bro/bro/tree/topic/jsiwek/tcp-improvements [9] 62b3cb0 https://github.com/bro/bro/commit/62b3cb0a5b7bdd8fed1d7d0dae3337115b2feae7

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1125) topic/jsiwek/http-file-id-caching

by Jon Siwek (JIRA)

Jon Siwek created BIT-1125: ------------------------------ Summary: topic/jsiwek/http-file-id-caching Key: BIT-1125 URL: https://bro-tracker.atlassian.net/browse/BIT-1125 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Jon Siwek Fix For: 2.3 This branch is in bro and bro-testing repos. It adds a file ID caching / "fast path" mechanism to the file analysis API and adapts HTTP to use it for performance improvement. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1125) topic/jsiwek/http-file-id-caching

by Jon Siwek (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1125?page=com.atlassian.jira.p… ] Jon Siwek updated BIT-1125: --------------------------- Status: Merge Request (was: Open) > topic/jsiwek/http-file-id-caching > --------------------------------- > > Key: BIT-1125 > URL: https://bro-tracker.atlassian.net/browse/BIT-1125 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Fix For: 2.3 > > > This branch is in bro and bro-testing repos. It adds a file ID caching / "fast path" mechanism to the file analysis API and adapts HTTP to use it for performance improvement. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1124) process command misplaces custom scripts

by Robin Sommer (JIRA)

Robin Sommer created BIT-1124: --------------------------------- Summary: process command misplaces custom scripts Key: BIT-1124 URL: https://bro-tracker.atlassian.net/browse/BIT-1124 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: 2.2 Reporter: Robin Sommer {noformat} # cat test.bro @load base/utils/site print Site::local_nets; {noformat} {{broctl process trace.pcap test.bro}} gives: {noformat} error in /usr/local/bro-2.2/share/bro/policy/misc/loaded-scripts.bro, line 4: syntax error, at or near “module" {noformat} I believe it's due to test.bro being placed in the middle of the command line that {{process}} builds. If I move it to the end, it works fine. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1123) topic/jdopheid/bro/edits_to_installation_and_getting_started

by Jeannette Dopheide (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1123?page=com.atlassian.jira.p… ] Jeannette Dopheide updated BIT-1123: ------------------------------------ Fix Version/s: 2.3 > topic/jdopheid/bro/edits_to_installation_and_getting_started > ------------------------------------------------------------ > > Key: BIT-1123 > URL: https://bro-tracker.atlassian.net/browse/BIT-1123 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Jeannette Dopheide > Fix For: 2.3 > > > Minor grammar edits to Installation and Quick Start pages > Also, please let me know if I need to modify future JIRA tickets. > Thanks, > Jeannette > ************************ > Repository : ssh://git@bro-ids.icir.org/bro > On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started > Link : https://github.com/bro/bro/commit/4c52c378d5873abb052d688251f0ec7f5aa1c514 > And: > Repository : ssh://git@bro-ids.icir.org/bro > On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started > Link : https://github.com/bro/bro/commit/af95026348688e0df8c867f67d2a53a3d440cf41 -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1123) topic/jdopheid/bro/edits_to_installation_and_getting_started

by Jeannette Dopheide (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1123?page=com.atlassian.jira.p… ] Jeannette Dopheide updated BIT-1123: ------------------------------------ Status: Merge Request (was: Open) > topic/jdopheid/bro/edits_to_installation_and_getting_started > ------------------------------------------------------------ > > Key: BIT-1123 > URL: https://bro-tracker.atlassian.net/browse/BIT-1123 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Jeannette Dopheide > > Minor grammar edits to Installation and Quick Start pages > Also, please let me know if I need to modify future JIRA tickets. > Thanks, > Jeannette > ************************ > Repository : ssh://git@bro-ids.icir.org/bro > On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started > Link : https://github.com/bro/bro/commit/4c52c378d5873abb052d688251f0ec7f5aa1c514 > And: > Repository : ssh://git@bro-ids.icir.org/bro > On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started > Link : https://github.com/bro/bro/commit/af95026348688e0df8c867f67d2a53a3d440cf41 -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1123) topic/jdopheid/bro/edits_to_installation_and_getting_started

by Jeannette Dopheide (JIRA)

Jeannette Dopheide created BIT-1123: --------------------------------------- Summary: topic/jdopheid/bro/edits_to_installation_and_getting_started Key: BIT-1123 URL: https://bro-tracker.atlassian.net/browse/BIT-1123 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Jeannette Dopheide Minor grammar edits to Installation and Quick Start pages Also, please let me know if I need to modify future JIRA tickets. Thanks, Jeannette ************************ Repository : ssh://git@bro-ids.icir.org/bro On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started Link : https://github.com/bro/bro/commit/4c52c378d5873abb052d688251f0ec7f5aa1c514 And: Repository : ssh://git@bro-ids.icir.org/bro On branch : topic/jdopheid/bro/edits_to_installation_and_getting_started Link : https://github.com/bro/bro/commit/af95026348688e0df8c867f67d2a53a3d440cf41 -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements

by Jon Siwek (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.p… ] Jon Siwek commented on BIT-1119: -------------------------------- {quote} it's less the volume of output but the potential for confusion: one sees it and starts wondering what's wrong. It's easy to forget that TCP analysis gets confused because the trace is filtered. {quote} I might be misremembering (or repressed the details of the TCP code), but isn't the TCP analysis *less* confused in the face of filtered traces with the change? i.e. things are now most correct and it actually reports content gaps so e.g. missing_bytes fields for connections can be populated. {quote} but it's awesome to be able to notify people when things are failing and how they could fix it. {quote} I wouldn't say filtered traces fail due to the change, you just get more, possibly unexpected but not incorrect, output. (I'm just trying to clarify perspective, not really against idea of sampling weirds to issue suggestion/warning) > topic/jsiwek/tcp-improvements > ----------------------------- > > Key: BIT-1119 > URL: https://bro-tracker.atlassian.net/browse/BIT-1119 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Fix For: 2.3 > > Attachments: signature.asc > > > This branch is in the bro, bro-testing, and bro-testing-private repos and has a few changes to improve reporting of TCP connection sizes and gaps (commit messages explain in more detail). > The baseline changes in the external repos all seemed reasonable/explainable (or actually fix a problem). There's too much changed to go through case-by-case and actually check things, but I did do closer examinations of unique differences as I came across them (e.g. try to corroborate Bro results via wireshark). Then for those that seem to follow the same trend as something I already inspected, I wouldn't manually check. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements

by Seth Hall (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.p… ] Seth Hall updated BIT-1119: --------------------------- Attachment: signature.asc We could probably do it similarly to how we're doing the detection of invalid checksums by sampling weirds for a little bit. I also like this approach a lot. I think that keeping the default settings of Bro working "correctly" in the normal case is good, but it's awesome to be able to notify people when things are failing and how they could fix it. > topic/jsiwek/tcp-improvements > ----------------------------- > > Key: BIT-1119 > URL: https://bro-tracker.atlassian.net/browse/BIT-1119 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Fix For: 2.3 > > Attachments: signature.asc > > > This branch is in the bro, bro-testing, and bro-testing-private repos and has a few changes to improve reporting of TCP connection sizes and gaps (commit messages explain in more detail). > The baseline changes in the external repos all seemed reasonable/explainable (or actually fix a problem). There's too much changed to go through case-by-case and actually check things, but I did do closer examinations of unique differences as I came across them (e.g. try to corroborate Bro results via wireshark). Then for those that seem to follow the same trend as something I already inspected, I wouldn't manually check. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

zeek-dev January 2014