zeek-dev January 2014

zeek-dev@lists.zeek.org

104 discussions

[Bro-Dev] [JIRA] (BIT-1121) topic/dnthayer/test-improvements

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1121?page=com.atlassian.jira.p… ] Robin Sommer updated BIT-1121: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/dnthayer/test-improvements > -------------------------------- > > Key: BIT-1121 > URL: https://bro-tracker.atlassian.net/browse/BIT-1121 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.3 > > > Various improvements to the test build scripts to address some > error scenarios and to provide convenience features (added a > new makefile target "rerun" to more easily re-run failed tests, > and scripts now recognize two new env. vars. to enable doing a > non-standard build). Improved the test diff canonifiers > to do more thorough checking, and to workaround an issue in btest-diff > which was causing some failed tests to not be reported as failed. > Added lots of new tests (there are now 50% more test cases) to > fill in gaps in the test coverage. Also improved many existing > tests. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1120) Fix & extend x509_extension event

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1120?page=com.atlassian.jira.p… ] Robin Sommer updated BIT-1120: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Fix & extend x509_extension event > --------------------------------- > > Key: BIT-1120 > URL: https://bro-tracker.atlassian.net/browse/BIT-1120 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.2 > Reporter: Bernhard Amann > Fix For: 2.3 > > > Please merge topic/bernhard/fix-x509-extension. > This branch fixes and extends the x509_extension event, which was never called in the previous implementation. The event now parses the extension into a bro data structure. If supports printing it, it is converted into the openssl ascii output, otherwise a raw hex-dump is output. > New event syntax: > event x509_extension(c: connection, is_orig: bool, cert:X509, extension: X509_extension_info) > Example output for extension: > [name=X509v3 Extended Key Usage, > short_name=extendedKeyUsage, > oid=2.5.29.37, > critical=F, > value=TLS Web Server Authentication, TLS Web Client Authentication] > [name=X509v3 Certificate Policies, > short_name=certificatePolicies, > oid=2.5.29.32, > critical=F, > value=Policy: 1.3.6.1.4.1.6449.1.2.1.3.4^J CPS: https://secure.comodo.com/CPS^J] -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.p… ] Robin Sommer commented on BIT-1119: ----------------------------------- {quote} have some script warn if all TCP connections are missing 100% of content and suggest toggling detect_filtered_trace {quote} I like that, is that something we can do efficiently? {quote} But if it's actually not that important for a person using filtered traces to minimize output, I think it's fine enough as is? {quote} it's less the volume of output but the potential for confusion: one sees it and starts wondering what's wrong. It's easy to forget that TCP analysis gets confused because the trace is filtered. So if there was some way to point that out, that's all it would need. It's not a biggie but it's indeed in the same category like the checksums: something easy to get wrong without realizing what's going on, in particular because we're changing the default here. > topic/jsiwek/tcp-improvements > ----------------------------- > > Key: BIT-1119 > URL: https://bro-tracker.atlassian.net/browse/BIT-1119 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Fix For: 2.3 > > > This branch is in the bro, bro-testing, and bro-testing-private repos and has a few changes to improve reporting of TCP connection sizes and gaps (commit messages explain in more detail). > The baseline changes in the external repos all seemed reasonable/explainable (or actually fix a problem). There's too much changed to go through case-by-case and actually check things, but I did do closer examinations of unique differences as I came across them (e.g. try to corroborate Bro results via wireshark). Then for those that seem to follow the same trend as something I already inspected, I wouldn't manually check. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements

by Jon Siwek (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.p… ] Jon Siwek commented on BIT-1119: -------------------------------- {quote} I'm going ahead merging this but I'm wondering about the new detect_filtered_trace flag. It's pretty common (in the research world, anyways to run Bro on a SYN/FIN/RST trace and I imagine having this by default off can add a lot for warnings in that case. Can we add some other heuristic to detect such a trace (i.e., guess whether detect_filtered_trace should be on) ? A (very) coarse approach would simply be a global variable recording if we've ever seen anything else than a TCP control packet. Thoughts? {quote} If a person found out that Bro automatically switched modes part way through the trace, they will probably just re-run after manually toggling the option, right? Maybe treat it in a similar way to checksums -- have a FAQ and/or have some script warn if all TCP connections are missing 100% of content and suggest toggling {{detect_filtered_trace}} if the person would like to trade off correctness for minimized output. But if it's actually not that important for a person using filtered traces to minimize output, I think it's fine enough as is? > topic/jsiwek/tcp-improvements > ----------------------------- > > Key: BIT-1119 > URL: https://bro-tracker.atlassian.net/browse/BIT-1119 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Fix For: 2.3 > > > This branch is in the bro, bro-testing, and bro-testing-private repos and has a few changes to improve reporting of TCP connection sizes and gaps (commit messages explain in more detail). > The baseline changes in the external repos all seemed reasonable/explainable (or actually fix a problem). There's too much changed to go through case-by-case and actually check things, but I did do closer examinations of unique differences as I came across them (e.g. try to corroborate Bro results via wireshark). Then for those that seem to follow the same trend as something I already inspected, I wouldn't manually check. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [Auto] Merge Status

by Merge Tracker

Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ------------------------------------ BIT-1122 [1] Bro Jon Siwek Seth Hall 2014-01-28 2.3 Normal topic/jsiwek/dns-improvements [2] BIT-1121 [3] BroControl Daniel Thayer - 2014-01-28 2.3 Normal topic/dnthayer/test-improvements [4] BIT-1120 [5] Bro Bernhard Amann - 2014-01-27 2.3 Normal Fix & extend x509_extension event BIT-1119 [6] Bro Jon Siwek - 2014-01-28 2.3 Normal topic/jsiwek/tcp-improvements [7] Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- -------------- ---------- --------------------------------------------- 62b3cb0 [8] bro Bernhard Amann 2014-01-28 Also use exec-module test to check for leaks. [1] BIT-1122 https://bro-tracker.atlassian.net/browse/BIT-1122 [2] dns-improvements https://github.com/bro/bro/tree/topic/jsiwek/dns-improvements [3] BIT-1121 https://bro-tracker.atlassian.net/browse/BIT-1121 [4] test-improvements https://github.com/bro/brocontrol/tree/topic/dnthayer/test-improvements [5] BIT-1120 https://bro-tracker.atlassian.net/browse/BIT-1120 [6] BIT-1119 https://bro-tracker.atlassian.net/browse/BIT-1119 [7] tcp-improvements https://github.com/bro/bro/tree/topic/jsiwek/tcp-improvements [8] 62b3cb0 https://github.com/bro/bro/commit/62b3cb0a5b7bdd8fed1d7d0dae3337115b2feae7

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1122) topic/jsiwek/dns-improvements

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1122?page=com.atlassian.jira.p… ] Robin Sommer reassigned BIT-1122: --------------------------------- Assignee: Seth Hall > topic/jsiwek/dns-improvements > ----------------------------- > > Key: BIT-1122 > URL: https://bro-tracker.atlassian.net/browse/BIT-1122 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Assignee: Seth Hall > Fix For: 2.3 > > > This branch is in bro, bro-testing, and bro-testing-private repos. > - Fixes incorrect parsing of DNS message format for messages with empty question sections. > - Changes dns.log to only include standard queries (opcode == 1). > - Adds "dns_unknown_reply" event for RR types that Bro doesn't know how to parse, which improves accuracy of request-reply pair matching performed by the default DNS scripts. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.p… ] Robin Sommer commented on BIT-1119: ----------------------------------- I'm going ahead merging this but I'm wondering about the new {{detect_filtered_trace}} flag. It's pretty common (in the research world, anyways :) to run Bro on a SYN/FIN/RST trace and I imagine having this by default off can add a lot for warnings in that case. Can we add some other heuristic to detect such a trace (i.e., guess whether {{detect_filtered_trace}} should be on) ? A (very) coarse approach would simply be a global variable recording if we've ever seen anything else than a TCP control packet. Thoughts? > topic/jsiwek/tcp-improvements > ----------------------------- > > Key: BIT-1119 > URL: https://bro-tracker.atlassian.net/browse/BIT-1119 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Fix For: 2.3 > > > This branch is in the bro, bro-testing, and bro-testing-private repos and has a few changes to improve reporting of TCP connection sizes and gaps (commit messages explain in more detail). > The baseline changes in the external repos all seemed reasonable/explainable (or actually fix a problem). There's too much changed to go through case-by-case and actually check things, but I did do closer examinations of unique differences as I came across them (e.g. try to corroborate Bro results via wireshark). Then for those that seem to follow the same trend as something I already inspected, I wouldn't manually check. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1122) topic/jsiwek/dns-improvements

by Jon Siwek (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1122?page=com.atlassian.jira.p… ] Jon Siwek updated BIT-1122: --------------------------- Issue Type: Improvement (was: Problem) > topic/jsiwek/dns-improvements > ----------------------------- > > Key: BIT-1122 > URL: https://bro-tracker.atlassian.net/browse/BIT-1122 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Fix For: 2.3 > > > This branch is in bro, bro-testing, and bro-testing-private repos. > - Fixes incorrect parsing of DNS message format for messages with empty question sections. > - Changes dns.log to only include standard queries (opcode == 1). > - Adds "dns_unknown_reply" event for RR types that Bro doesn't know how to parse, which improves accuracy of request-reply pair matching performed by the default DNS scripts. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1122) topic/jsiwek/dns-improvements

by Jon Siwek (JIRA)

Jon Siwek created BIT-1122: ------------------------------ Summary: topic/jsiwek/dns-improvements Key: BIT-1122 URL: https://bro-tracker.atlassian.net/browse/BIT-1122 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Fix For: 2.3 This branch is in bro, bro-testing, and bro-testing-private repos. - Fixes incorrect parsing of DNS message format for messages with empty question sections. - Changes dns.log to only include standard queries (opcode == 1). - Adds "dns_unknown_reply" event for RR types that Bro doesn't know how to parse, which improves accuracy of request-reply pair matching performed by the default DNS scripts. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

[Bro-Dev] [JIRA] (BIT-1122) topic/jsiwek/dns-improvements

by Jon Siwek (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1122?page=com.atlassian.jira.p… ] Jon Siwek updated BIT-1122: --------------------------- Status: Merge Request (was: Open) > topic/jsiwek/dns-improvements > ----------------------------- > > Key: BIT-1122 > URL: https://bro-tracker.atlassian.net/browse/BIT-1122 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Fix For: 2.3 > > > This branch is in bro, bro-testing, and bro-testing-private repos. > - Fixes incorrect parsing of DNS message format for messages with empty question sections. > - Changes dns.log to only include standard queries (opcode == 1). > - Adds "dns_unknown_reply" event for RR types that Bro doesn't know how to parse, which improves accuracy of request-reply pair matching performed by the default DNS scripts. -- This message was sent by Atlassian JIRA (v6.2-OD-07-028#6211)

6 years, 12 months

← Newer
1
2
3
4
5
6
7
...
11
Older →

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

zeek-dev January 2014