zeek-dev February 2014

zeek-dev@lists.zeek.org

195 discussions

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-700?page=com.atlassian.jira.pl… ] Robin Sommer updated BIT-700: ----------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > PacketSorter > ------------ > > Key: BIT-700 > URL: https://bro-tracker.atlassian.net/browse/BIT-700 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: gregor > Assignee: Robin Sommer > Labels: BroV6,, IPv6 > Fix For: 2.4 > > > (from an e-mail I sent a while ago) > Might relevant for IPv6 so setting milestone to 2.1 > Hi, > I was wondering about Bro's packet sorter. From a quick glance it > appears that it's only enabled if packet_sort_window is set to a non > zero value. When enabled it will sort packets > a) based on timestamps and > b) for TCP packets based on SEQ/ACK numbers (I presume to ensure that > ACKs are delivered after the data packet) > Note, this is independent from Bro's ability to process multiple trace > files (or multiple interfaces) in order. So I was wondering about the > use cases for PacketSorter, especially (a) > If the packet sorter is enabled Bro's behavior will slightly change: It > won't pass ARP packets to the ARP analyzer, and it won't create a weird > if it's not an IP packet. > I was just wondering whether anybody has recently used the packet > sorter. If not I'm wondering whether we should test this code path to > see whether it works correctly esp wrt IPv6. > Or, actually, whether the packet sorter is worth keeping or whether we > should remove the code. > And another question would be if the TCP sorting would better be handled > by the TCP analyzer? > Opinions? -- This message was sent by Atlassian JIRA (v6.2-OD-09-036#6252)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-123) expire-logs doesn't expire stats/*

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-123?page=com.atlassian.jira.pl… ] Robin Sommer updated BIT-123: ----------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > expire-logs doesn't expire stats/* > ---------------------------------- > > Key: BIT-123 > URL: https://bro-tracker.atlassian.net/browse/BIT-123 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Robin Sommer > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.3 > > > It should however have a separate expiration period, as we might want to keep these for a different period. -- This message was sent by Atlassian JIRA (v6.2-OD-09-036#6252)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1117) Broctl base communication port should be configurable

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1117?page=com.atlassian.jira.p… ] Robin Sommer updated BIT-1117: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Broctl base communication port should be configurable > ----------------------------------------------------- > > Key: BIT-1117 > URL: https://bro-tracker.atlassian.net/browse/BIT-1117 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Reporter: Justin Azoff > Fix For: 2.3 > > > Broctl automatically assigns ports for Bro to listen on, starting with port number 47760. There is no config option to change this. -- This message was sent by Atlassian JIRA (v6.2-OD-09-036#6252)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-700) PacketSorter

by Bernhard Amann (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-700?page=com.atlassian.jira.pl… ] Bernhard Amann commented on BIT-700: ------------------------------------ Uh. Sorry. Und ich dachte, dass ich einmal einen problemfreien patch hinbekommen hab… das hab ich vergessen :( > PacketSorter > ------------ > > Key: BIT-700 > URL: https://bro-tracker.atlassian.net/browse/BIT-700 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: gregor > Assignee: Robin Sommer > Labels: BroV6,, IPv6 > Fix For: 2.4 > > > (from an e-mail I sent a while ago) > Might relevant for IPv6 so setting milestone to 2.1 > Hi, > I was wondering about Bro's packet sorter. From a quick glance it > appears that it's only enabled if packet_sort_window is set to a non > zero value. When enabled it will sort packets > a) based on timestamps and > b) for TCP packets based on SEQ/ACK numbers (I presume to ensure that > ACKs are delivered after the data packet) > Note, this is independent from Bro's ability to process multiple trace > files (or multiple interfaces) in order. So I was wondering about the > use cases for PacketSorter, especially (a) > If the packet sorter is enabled Bro's behavior will slightly change: It > won't pass ARP packets to the ARP analyzer, and it won't create a weird > if it's not an IP packet. > I was just wondering whether anybody has recently used the packet > sorter. If not I'm wondering whether we should test this code path to > see whether it works correctly esp wrt IPv6. > Or, actually, whether the packet sorter is worth keeping or whether we > should remove the code. > And another question would be if the TCP sorting would better be handled > by the TCP analyzer? > Opinions? -- This message was sent by Atlassian JIRA (v6.2-OD-09-036#6252)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-700) PacketSorter

by Bernhard Amann (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-700?page=com.atlassian.jira.pl… ] Bernhard Amann edited comment on BIT-700 at 2/28/14 4:59 PM: ------------------------------------------------------------- sorry, me bad. Yes, delete. That was kind of the motivation for the patch :) was (Author: amannb): Uh. Sorry. Und ich dachte, dass ich einmal einen problemfreien patch hinbekommen hab… das hab ich vergessen :( > PacketSorter > ------------ > > Key: BIT-700 > URL: https://bro-tracker.atlassian.net/browse/BIT-700 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: gregor > Assignee: Robin Sommer > Labels: BroV6,, IPv6 > Fix For: 2.4 > > > (from an e-mail I sent a while ago) > Might relevant for IPv6 so setting milestone to 2.1 > Hi, > I was wondering about Bro's packet sorter. From a quick glance it > appears that it's only enabled if packet_sort_window is set to a non > zero value. When enabled it will sort packets > a) based on timestamps and > b) for TCP packets based on SEQ/ACK numbers (I presume to ensure that > ACKs are delivered after the data packet) > Note, this is independent from Bro's ability to process multiple trace > files (or multiple interfaces) in order. So I was wondering about the > use cases for PacketSorter, especially (a) > If the packet sorter is enabled Bro's behavior will slightly change: It > won't pass ARP packets to the ARP analyzer, and it won't create a weird > if it's not an IP packet. > I was just wondering whether anybody has recently used the packet > sorter. If not I'm wondering whether we should test this code path to > see whether it works correctly esp wrt IPv6. > Or, actually, whether the packet sorter is worth keeping or whether we > should remove the code. > And another question would be if the TCP sorting would better be handled > by the TCP analyzer? > Opinions? -- This message was sent by Atlassian JIRA (v6.2-OD-09-036#6252)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-700) PacketSorter

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-700?page=com.atlassian.jira.pl… ] Robin Sommer commented on BIT-700: ---------------------------------- What's this? :) Delete? {code} + case DLT_IEEE802_11: + { + printf("Here\n"); + exit(0); + } + {code} > PacketSorter > ------------ > > Key: BIT-700 > URL: https://bro-tracker.atlassian.net/browse/BIT-700 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: gregor > Assignee: Robin Sommer > Labels: BroV6,, IPv6 > Fix For: 2.4 > > > (from an e-mail I sent a while ago) > Might relevant for IPv6 so setting milestone to 2.1 > Hi, > I was wondering about Bro's packet sorter. From a quick glance it > appears that it's only enabled if packet_sort_window is set to a non > zero value. When enabled it will sort packets > a) based on timestamps and > b) for TCP packets based on SEQ/ACK numbers (I presume to ensure that > ACKs are delivered after the data packet) > Note, this is independent from Bro's ability to process multiple trace > files (or multiple interfaces) in order. So I was wondering about the > use cases for PacketSorter, especially (a) > If the packet sorter is enabled Bro's behavior will slightly change: It > won't pass ARP packets to the ARP analyzer, and it won't create a weird > if it's not an IP packet. > I was just wondering whether anybody has recently used the packet > sorter. If not I'm wondering whether we should test this code path to > see whether it works correctly esp wrt IPv6. > Or, actually, whether the packet sorter is worth keeping or whether we > should remove the code. > And another question would be if the TCP sorting would better be handled > by the TCP analyzer? > Opinions? -- This message was sent by Atlassian JIRA (v6.2-OD-09-036#6252)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1129) RADIUS Protocol Analyzer

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1129?page=com.atlassian.jira.p… ] Robin Sommer updated BIT-1129: ------------------------------ Status: Open (was: Merge Request) > RADIUS Protocol Analyzer > ------------------------ > > Key: BIT-1129 > URL: https://bro-tracker.atlassian.net/browse/BIT-1129 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: grigorescu > Assignee: Vlad Grigorescu > Fix For: 2.3 > > > topic/vladg/radius is ready to be merged. It's been running at CMU for a few months with no issues. -- This message was sent by Atlassian JIRA (v6.2-OD-09-036#6252)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1129) RADIUS Protocol Analyzer

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1129?page=com.atlassian.jira.p… ] Robin Sommer reassigned BIT-1129: --------------------------------- Assignee: Vlad Grigorescu > RADIUS Protocol Analyzer > ------------------------ > > Key: BIT-1129 > URL: https://bro-tracker.atlassian.net/browse/BIT-1129 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: grigorescu > Assignee: Vlad Grigorescu > Fix For: 2.3 > > > topic/vladg/radius is ready to be merged. It's been running at CMU for a few months with no issues. -- This message was sent by Atlassian JIRA (v6.2-OD-09-036#6252)

6 years, 9 months

Re: [Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/file-analysis-x509: Second try on the event interface. (7ba6bcf)

by Seth Hall

On Feb 28, 2014, at 6:04 AM, Bernhard Amann <bernhard(a)ICSI.Berkeley.EDU> wrote: > -event x509_extension(f: fa_file, ext: X509::Extension) > +event x509_extension(f: fa_file, cert: X509::Certificate, ext: X509::Extension) Would it make more sense to leave the cert out? Seems like state we should collect in script land instead of passing it through from the core each time. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/

6 years, 9 months

[Bro-Dev] [Auto] Merge Status

by Merge Tracker

Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------ -------------- ---------- ------------- ---------- ----------------------------------------------------- BIT-1144 [1] Bro Brian Little Bernhard Amann 2014-02-25 - Low topk_get_top returned data type BIT-1129 [2] Bro grigorescu - 2014-02-18 2.3 Normal RADIUS Protocol Analyzer BIT-1117 [3] BroControl Justin Azoff - 2014-02-27 2.3 Normal Broctl base communication port should be configurable BIT-700 [4] Bro gregor Robin Sommer 2014-02-26 2.4 Normal PacketSorter BIT-123 [5] BroControl Robin Sommer Daniel Thayer 2014-02-26 2.3 Low expire-logs doesn't expire stats/* Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- -------------- ---------- ------------------------------------------------------------ 80c319b [6] bro Bernhard Amann 2014-02-26 adjust timings of a few leak tests. bc75988 [7] bro Bernhard Amann 2014-02-24 More google tls extensions that are being actively used. 09c2491 [8] bro Bernhard Amann 2014-02-24 Remove unused and potentially unsafe function ListVal::Inclu [1] BIT-1144 https://bro-tracker.atlassian.net/browse/BIT-1144 [2] BIT-1129 https://bro-tracker.atlassian.net/browse/BIT-1129 [3] BIT-1117 https://bro-tracker.atlassian.net/browse/BIT-1117 [4] BIT-700 https://bro-tracker.atlassian.net/browse/BIT-700 [5] BIT-123 https://bro-tracker.atlassian.net/browse/BIT-123 [6] 80c319b https://github.com/bro/bro/commit/80c319b522dcad8f1ee41de52d9f962fb3e615d5 [7] bc75988 https://github.com/bro/bro/commit/bc75988bd9e76bc595a086d61e2ee2fa960209a0 [8] 09c2491 https://github.com/bro/bro/commit/09c2491896971ef361e3ca339175e625c98d406e

6 years, 9 months

Jump to page:

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

zeek-dev February 2014