[ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.p… ]
Bernhard Amann commented on BIT-1180:
-------------------------------------
For input streams that have re-read enabled, should we perhaps not really die on errors, but still try to re-read the file upon each change to it? So if there is one file version that has whatever error, and latter ones don't have it, we will pick up the new version, even if we failed before?
> Input framework subsiquient REREAD fails after file update
> -----------------------------------------------------------
>
> Key: BIT-1180
> URL: https://bro-tracker.atlassian.net/browse/BIT-1180
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.2
> Reporter: Aashish Sharma
> Assignee: Bernhard Amann
> Priority: High
> Labels: input-framework
> Fix For: 2.4
>
>
> I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally, I see the following error:
> Apr 6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line (empty)
> After this failure/message, any subsequent updates on the file are ignored by the input framework.
> From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the file is empty for a minuscule duration after which this error starts.
> for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in.
> Please let me know if you need ways to reproduce this error condition or have more questions for me.
--
This message was sent by Atlassian JIRA
(v6.3-OD-05-016#6325)
[ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.p… ]
Bernhard Amann updated BIT-1180:
--------------------------------
Fix Version/s: 2.4
> Input framework subsiquient REREAD fails after file update
> -----------------------------------------------------------
>
> Key: BIT-1180
> URL: https://bro-tracker.atlassian.net/browse/BIT-1180
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.2
> Reporter: Aashish Sharma
> Assignee: Bernhard Amann
> Priority: High
> Labels: input-framework
> Fix For: 2.4
>
>
> I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally, I see the following error:
> Apr 6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line (empty)
> After this failure/message, any subsequent updates on the file are ignored by the input framework.
> From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the file is empty for a minuscule duration after which this error starts.
> for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in.
> Please let me know if you need ways to reproduce this error condition or have more questions for me.
--
This message was sent by Atlassian JIRA
(v6.3-OD-05-016#6325)
[ https://bro-tracker.atlassian.net/browse/BIT-1195?page=com.atlassian.jira.p… ]
Anthony Verez commented on BIT-1195:
------------------------------------
It works well now, thanks :-)
> SSL: subject overflow in issuer_subject
> ---------------------------------------
>
> Key: BIT-1195
> URL: https://bro-tracker.atlassian.net/browse/BIT-1195
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.2
> Environment: Tested on Debian and Security Onion
> Reporter: Anthony Verez
> Assignee: Bernhard Amann
> Fix For: 2.3
>
> Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz
>
>
> Hi,
> I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master)
> Steps to reproduce:
> 1. Start capturing
> 2. openssl s_client -connect 63.245.215.80:443
> 3. Stop capturing
> 4. Load the pcap in Bro
> Problem:
> * cat -t master_logs/ssl.log -> "Orga^Inization"
> * cat -t master_logs/x509.log -> "Orga^Inization"
> * cat -t 2.2_logs/x509.log -> "Orga^Inization"
> Whereas the openssl command above gives
> subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org
> issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
> I have attached:
> * the pcap
> * logs in both 2.2 and master (bro -r capture.pcap)
> Great job on beta 2.3 :-)
--
This message was sent by Atlassian JIRA
(v6.3-OD-05-016#6325)
[ https://bro-tracker.atlassian.net/browse/BIT-1195?page=com.atlassian.jira.p… ]
Bernhard Amann commented on BIT-1195:
-------------------------------------
Fix is in topic/bernhard/ticket-1195 of bro and testing
> SSL: subject overflow in issuer_subject
> ---------------------------------------
>
> Key: BIT-1195
> URL: https://bro-tracker.atlassian.net/browse/BIT-1195
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.2
> Environment: Tested on Debian and Security Onion
> Reporter: Anthony Verez
> Assignee: Bernhard Amann
> Fix For: 2.3
>
> Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz
>
>
> Hi,
> I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master)
> Steps to reproduce:
> 1. Start capturing
> 2. openssl s_client -connect 63.245.215.80:443
> 3. Stop capturing
> 4. Load the pcap in Bro
> Problem:
> * cat -t master_logs/ssl.log -> "Orga^Inization"
> * cat -t master_logs/x509.log -> "Orga^Inization"
> * cat -t 2.2_logs/x509.log -> "Orga^Inization"
> Whereas the openssl command above gives
> subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org
> issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
> I have attached:
> * the pcap
> * logs in both 2.2 and master (bro -r capture.pcap)
> Great job on beta 2.3 :-)
--
This message was sent by Atlassian JIRA
(v6.3-OD-05-016#6325)
[ https://bro-tracker.atlassian.net/browse/BIT-1197?page=com.atlassian.jira.p… ]
Jon Siwek commented on BIT-1197:
--------------------------------
Thanks; fixed in git now.
> policy/misc/load-balancing.bro has an error
> -------------------------------------------
>
> Key: BIT-1197
> URL: https://bro-tracker.atlassian.net/browse/BIT-1197
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.2
> Reporter: Andrew Hoying
> Priority: Low
> Fix For: 2.3
>
>
> policy/misc/load-balancing.bro references the function PacketFilter::sample_filter, which fails when the script is compiled. The correct function name is PacketFilter::sampling_filter.
--
This message was sent by Atlassian JIRA
(v6.3-OD-05-016#6325)
[ https://bro-tracker.atlassian.net/browse/BIT-1197?page=com.atlassian.jira.p… ]
Jon Siwek updated BIT-1197:
---------------------------
Resolution: Fixed
Status: Closed (was: Open)
> policy/misc/load-balancing.bro has an error
> -------------------------------------------
>
> Key: BIT-1197
> URL: https://bro-tracker.atlassian.net/browse/BIT-1197
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.2
> Reporter: Andrew Hoying
> Priority: Low
>
> policy/misc/load-balancing.bro references the function PacketFilter::sample_filter, which fails when the script is compiled. The correct function name is PacketFilter::sampling_filter.
--
This message was sent by Atlassian JIRA
(v6.3-OD-05-016#6325)
[ https://bro-tracker.atlassian.net/browse/BIT-1197?page=com.atlassian.jira.p… ]
Jon Siwek updated BIT-1197:
---------------------------
Fix Version/s: 2.3
> policy/misc/load-balancing.bro has an error
> -------------------------------------------
>
> Key: BIT-1197
> URL: https://bro-tracker.atlassian.net/browse/BIT-1197
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.2
> Reporter: Andrew Hoying
> Priority: Low
> Fix For: 2.3
>
>
> policy/misc/load-balancing.bro references the function PacketFilter::sample_filter, which fails when the script is compiled. The correct function name is PacketFilter::sampling_filter.
--
This message was sent by Atlassian JIRA
(v6.3-OD-05-016#6325)