zeek-dev November 2015

zeek-dev@lists.zeek.org

113 discussions

[Bro-Dev] Parse LDAP messages from a pcap

by Zakaria Hili

Hello, I need to parse LDAP messages from a pcap. So what I did is I tried to search for some Bro's events of LDAP but I failed. So I was wondering if there's some and that I missed them. If no, how can I then code a dissector of ldap easily so I could use it in events that I have to implement? Thank you for your help and keep up the good work! ᐧ

5 years

[Bro-Dev] [JIRA] (BIT-1442) Prevent possible segmentation violation/faults in Bro-2.3.2

by Johanna Amann (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1442?page=com.atlassian.jira.p… ] Johanna Amann updated BIT-1442: ------------------------------- Resolution: Invalid Status: Closed (was: Reopened) > Prevent possible segmentation violation/faults in Bro-2.3.2 > ----------------------------------------------------------- > > Key: BIT-1442 > URL: https://bro-tracker.atlassian.net/browse/BIT-1442 > Project: Bro Issue Tracker > Issue Type: Patch > Components: bro-aux, Broccoli > Affects Versions: 2.3 > Environment: Linux/Windows/BSD, etc > Reporter: Bill Parker > Labels: Segmentation, Violation, fault > Attachments: bro.c.patch, SubnetTree_wrap.cc.patch > > > Hello All, > In reviewing calls to memset() in Bro-2.3.2, I came across a > pair of instances where memset could POSSIBLY be called with a > address area pointing to NULL, which would generate a segmentation > violation/fault during execution. The patch files below should > address these issues: > In directory 'bro-2.3.2/aux/broctl/aux/pysubnettree', file > 'SubnetTree_wrap.cc': > --- SubnetTree_wrap.cc.orig 2015-08-02 18:56:24.034212101 -0400 > +++ SubnetTree_wrap.cc 2015-08-02 18:59:11.242212101 -0400 > @@ -719,6 +719,8 @@ > SWIG_UnpackDataName(const char *c, void *ptr, size_t sz, const char *name) { > if (*c != '_') { > if (strcmp(c,"NULL") == 0) { > + if (ptr == NULL) /* on off chance that ptr is NULL, memset() */ > + return 0; /* will segment violation/fault, so return 0 */ > memset(ptr,0,sz); > return name; > } else { > In directory 'bro-2.3.2/aux/broccoli/src', file 'bro.c': > --- bro.c.orig 2015-08-02 19:04:00.161212101 -0400 > +++ bro.c 2015-08-02 19:05:15.608212101 -0400 > @@ -367,6 +367,9 @@ > void > bro_ctx_init(BroCtx *ctx) > { > + if (! ctx) /* paranoid, ctx must NOT be NULL */ > + return; > + > memset(ctx, 0, sizeof(BroCtx)); > } > > Comments, Questions, Suggestions, Complaints :) > I am attaching the patch file(s) to this bug report... > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001)

5 years

[Bro-Dev] [Auto] Merge Status

by Merge Tracker

Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #1 [7] broctl J-Gras [8] 2015-10-24 Added support for Pcap options [9] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #1 https://github.com/bro/broctl/pull/1 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config

5 years

[Bro-Dev] [Auto] Merge Status

by Merge Tracker

5 years

[Bro-Dev] [Auto] Merge Status

by Merge Tracker

5 years

[Bro-Dev] [Auto] Merge Status

by Merge Tracker

5 years

[Bro-Dev] [Auto] Merge Status

by Merge Tracker

5 years

[Bro-Dev] [JIRA] (BIT-1442) Prevent possible segmentation violation/faults in Bro-2.3.2

by Homayan Ahamed (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1442?page=com.atlassian.jira.p… ] Homayan Ahamed updated BIT-1442: -------------------------------- Status: Reopened (was: Closed) Resolution: (was: Invalid) > Prevent possible segmentation violation/faults in Bro-2.3.2 > ----------------------------------------------------------- > > Key: BIT-1442 > URL: https://bro-tracker.atlassian.net/browse/BIT-1442 > Project: Bro Issue Tracker > Issue Type: Patch > Components: bro-aux, Broccoli > Affects Versions: 2.3 > Environment: Linux/Windows/BSD, etc > Reporter: Bill Parker > Labels: Segmentation, Violation, fault > Attachments: bro.c.patch, SubnetTree_wrap.cc.patch > > > Hello All, > In reviewing calls to memset() in Bro-2.3.2, I came across a > pair of instances where memset could POSSIBLY be called with a > address area pointing to NULL, which would generate a segmentation > violation/fault during execution. The patch files below should > address these issues: > In directory 'bro-2.3.2/aux/broctl/aux/pysubnettree', file > 'SubnetTree_wrap.cc': > --- SubnetTree_wrap.cc.orig 2015-08-02 18:56:24.034212101 -0400 > +++ SubnetTree_wrap.cc 2015-08-02 18:59:11.242212101 -0400 > @@ -719,6 +719,8 @@ > SWIG_UnpackDataName(const char *c, void *ptr, size_t sz, const char *name) { > if (*c != '_') { > if (strcmp(c,"NULL") == 0) { > + if (ptr == NULL) /* on off chance that ptr is NULL, memset() */ > + return 0; /* will segment violation/fault, so return 0 */ > memset(ptr,0,sz); > return name; > } else { > In directory 'bro-2.3.2/aux/broccoli/src', file 'bro.c': > --- bro.c.orig 2015-08-02 19:04:00.161212101 -0400 > +++ bro.c 2015-08-02 19:05:15.608212101 -0400 > @@ -367,6 +367,9 @@ > void > bro_ctx_init(BroCtx *ctx) > { > + if (! ctx) /* paranoid, ctx must NOT be NULL */ > + return; > + > memset(ctx, 0, sizeof(BroCtx)); > } > > Comments, Questions, Suggestions, Complaints :) > I am attaching the patch file(s) to this bug report... > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000)

5 years

[Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates

by Gavin Spearhead (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.p… ] Gavin Spearhead commented on BIT-1502: -------------------------------------- Adding it seems to give much better results. Thanx > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000)

5 years

[Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates

by Gavin Spearhead (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.p… ] Gavin Spearhead commented on BIT-1502: -------------------------------------- I guess not. It's started through broctl bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000)

5 years

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

zeek-dev November 2015