zeek-dev May 2014

zeek-dev@lists.zeek.org

106 discussions

by Merge Tracker

Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- -------------- ---------- ------------- ---------- --------------------------------------- BIT-1195 [1] Bro Anthony Verez Bernhard Amann 2014-05-30 2.3 Normal SSL: subject overflow in issuer_subject Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------- cb76145 [2] broctl Daniel Thayer 2014-05-30 Fix for capstats to display correct interface name 4aae8da [3] broctl Daniel Thayer 2014-05-29 Fix for capstats with PF_RING+DNA pfdnacluster_master Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ------------ ---------- -------------------------------------------- #9 [4] bro Mraoul [5] 2014-05-19 New Logging Writers based on librabbitmq [6] #3 [7] pysubnettree kitterma [8] 2014-05-30 Update MANIFEST.in [9] [1] BIT-1195 https://bro-tracker.atlassian.net/browse/BIT-1195 [2] cb76145 https://github.com/bro/broctl/commit/cb76145399484198c4079767a08f80db41c033… [3] 4aae8da https://github.com/bro/broctl/commit/4aae8daace0774636824c808310cf0d244cc83… [4] Pull Request #9 https://github.com/bro/bro/pull/9 [5] Mraoul https://github.com/Mraoul [6] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [7] Pull Request #3 https://github.com/bro/pysubnettree/pull/3 [8] kitterma https://github.com/kitterma [9] Merge Pull Request #3 with git pull https://github.com/kitterma/pysubnettree.git master

8 years

[Bro-Dev] [JIRA] (BIT-1180) Input framework subsiquient REREAD fails after file update

by Bernhard Amann (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.p… ] Bernhard Amann commented on BIT-1180: ------------------------------------- For input streams that have re-read enabled, should we perhaps not really die on errors, but still try to re-read the file upon each change to it? So if there is one file version that has whatever error, and latter ones don't have it, we will pick up the new version, even if we failed before? > Input framework subsiquient REREAD fails after file update > ----------------------------------------------------------- > > Key: BIT-1180 > URL: https://bro-tracker.atlassian.net/browse/BIT-1180 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Assignee: Bernhard Amann > Priority: High > Labels: input-framework > Fix For: 2.4 > > > I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally, I see the following error: > Apr 6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line (empty) > After this failure/message, any subsequent updates on the file are ignored by the input framework. > From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the file is empty for a minuscule duration after which this error starts. > for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in. > Please let me know if you need ways to reproduce this error condition or have more questions for me. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325)

8 years

[Bro-Dev] [JIRA] (BIT-1180) Input framework subsiquient REREAD fails after file update

by Bernhard Amann (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.p… ] Bernhard Amann updated BIT-1180: -------------------------------- Fix Version/s: 2.4 > Input framework subsiquient REREAD fails after file update > ----------------------------------------------------------- > > Key: BIT-1180 > URL: https://bro-tracker.atlassian.net/browse/BIT-1180 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Assignee: Bernhard Amann > Priority: High > Labels: input-framework > Fix For: 2.4 > > > I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally, I see the following error: > Apr 6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line (empty) > After this failure/message, any subsequent updates on the file are ignored by the input framework. > From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the file is empty for a minuscule duration after which this error starts. > for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in. > Please let me know if you need ways to reproduce this error condition or have more questions for me. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325)

8 years

[Bro-Dev] [JIRA] (BIT-1195) SSL: subject overflow in issuer_subject

by Anthony Verez (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1195?page=com.atlassian.jira.p… ] Anthony Verez commented on BIT-1195: ------------------------------------ It works well now, thanks :-) > SSL: subject overflow in issuer_subject > --------------------------------------- > > Key: BIT-1195 > URL: https://bro-tracker.atlassian.net/browse/BIT-1195 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.2 > Environment: Tested on Debian and Security Onion > Reporter: Anthony Verez > Assignee: Bernhard Amann > Fix For: 2.3 > > Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz > > > Hi, > I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master) > Steps to reproduce: > 1. Start capturing > 2. openssl s_client -connect 63.245.215.80:443 > 3. Stop capturing > 4. Load the pcap in Bro > Problem: > * cat -t master_logs/ssl.log -> "Orga^Inization" > * cat -t master_logs/x509.log -> "Orga^Inization" > * cat -t 2.2_logs/x509.log -> "Orga^Inization" > Whereas the openssl command above gives > subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 > I have attached: > * the pcap > * logs in both 2.2 and master (bro -r capture.pcap) > Great job on beta 2.3 :-) -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325)

8 years

[Bro-Dev] [JIRA] (BIT-1195) SSL: subject overflow in issuer_subject

by Bernhard Amann (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1195?page=com.atlassian.jira.p… ] Bernhard Amann updated BIT-1195: -------------------------------- Status: Merge Request (was: Open) > SSL: subject overflow in issuer_subject > --------------------------------------- > > Key: BIT-1195 > URL: https://bro-tracker.atlassian.net/browse/BIT-1195 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.2 > Environment: Tested on Debian and Security Onion > Reporter: Anthony Verez > Assignee: Bernhard Amann > Fix For: 2.3 > > Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz > > > Hi, > I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master) > Steps to reproduce: > 1. Start capturing > 2. openssl s_client -connect 63.245.215.80:443 > 3. Stop capturing > 4. Load the pcap in Bro > Problem: > * cat -t master_logs/ssl.log -> "Orga^Inization" > * cat -t master_logs/x509.log -> "Orga^Inization" > * cat -t 2.2_logs/x509.log -> "Orga^Inization" > Whereas the openssl command above gives > subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 > I have attached: > * the pcap > * logs in both 2.2 and master (bro -r capture.pcap) > Great job on beta 2.3 :-) -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325)

8 years

[Bro-Dev] [JIRA] (BIT-1195) SSL: subject overflow in issuer_subject

by Bernhard Amann (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1195?page=com.atlassian.jira.p… ] Bernhard Amann commented on BIT-1195: ------------------------------------- Fix is in topic/bernhard/ticket-1195 of bro and testing > SSL: subject overflow in issuer_subject > --------------------------------------- > > Key: BIT-1195 > URL: https://bro-tracker.atlassian.net/browse/BIT-1195 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.2 > Environment: Tested on Debian and Security Onion > Reporter: Anthony Verez > Assignee: Bernhard Amann > Fix For: 2.3 > > Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz > > > Hi, > I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master) > Steps to reproduce: > 1. Start capturing > 2. openssl s_client -connect 63.245.215.80:443 > 3. Stop capturing > 4. Load the pcap in Bro > Problem: > * cat -t master_logs/ssl.log -> "Orga^Inization" > * cat -t master_logs/x509.log -> "Orga^Inization" > * cat -t 2.2_logs/x509.log -> "Orga^Inization" > Whereas the openssl command above gives > subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 > I have attached: > * the pcap > * logs in both 2.2 and master (bro -r capture.pcap) > Great job on beta 2.3 :-) -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325)

8 years

[Bro-Dev] [Auto] Merge Status

by Merge Tracker

Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------- 4aae8da [1] broctl Daniel Thayer 2014-05-29 Fix for capstats with PF_RING+DNA pfdnacluster_master Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- -------------------------------------------- #9 [2] bro Mraoul [3] 2014-05-19 New Logging Writers based on librabbitmq [4] [1] 4aae8da https://github.com/bro/broctl/commit/4aae8daace0774636824c808310cf0d244cc83… [2] Pull Request #9 https://github.com/bro/bro/pull/9 [3] Mraoul https://github.com/Mraoul [4] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers

8 years

[Bro-Dev] [JIRA] (BIT-1197) policy/misc/load-balancing.bro has an error

by Jon Siwek (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1197?page=com.atlassian.jira.p… ] Jon Siwek commented on BIT-1197: -------------------------------- Thanks; fixed in git now. > policy/misc/load-balancing.bro has an error > ------------------------------------------- > > Key: BIT-1197 > URL: https://bro-tracker.atlassian.net/browse/BIT-1197 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Andrew Hoying > Priority: Low > Fix For: 2.3 > > > policy/misc/load-balancing.bro references the function PacketFilter::sample_filter, which fails when the script is compiled. The correct function name is PacketFilter::sampling_filter. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325)

8 years

[Bro-Dev] [JIRA] (BIT-1197) policy/misc/load-balancing.bro has an error

by Jon Siwek (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1197?page=com.atlassian.jira.p… ] Jon Siwek updated BIT-1197: --------------------------- Resolution: Fixed Status: Closed (was: Open) > policy/misc/load-balancing.bro has an error > ------------------------------------------- > > Key: BIT-1197 > URL: https://bro-tracker.atlassian.net/browse/BIT-1197 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Andrew Hoying > Priority: Low > > policy/misc/load-balancing.bro references the function PacketFilter::sample_filter, which fails when the script is compiled. The correct function name is PacketFilter::sampling_filter. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325)

8 years

[Bro-Dev] [JIRA] (BIT-1197) policy/misc/load-balancing.bro has an error

by Jon Siwek (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1197?page=com.atlassian.jira.p… ] Jon Siwek updated BIT-1197: --------------------------- Fix Version/s: 2.3 > policy/misc/load-balancing.bro has an error > ------------------------------------------- > > Key: BIT-1197 > URL: https://bro-tracker.atlassian.net/browse/BIT-1197 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Andrew Hoying > Priority: Low > Fix For: 2.3 > > > policy/misc/load-balancing.bro references the function PacketFilter::sample_filter, which fails when the script is compiled. The correct function name is PacketFilter::sampling_filter. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325)

8 years

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

zeek-dev May 2014