Hello,
we are considering to provide packages for a number of different
.deb and .rpm based distributions starting with Bro 2.4, using the
OpenSuse build service.
As a first step, I have created a repository that contains nightly Bro
builds for CentOs, Debian, Fedora, Suse Linux, Scientific Linux,
Univention as well as Ubuntu.
At the moment, Bro is installed into /opt/bro and broctl needs root
permissions to run. Users in the Bro group (which is automatically created
on installation) should be able to modify configuration files like
local.bro, or the broctl configuration, and read the log files that Bro
writes.
The package is called bro-nightly which is a metapackage which pulls in
the sub-packages
bro-core-nightly, containing only bro without broctl or libbroccoli
broctl-nightly, containing broctl
libbroccoli-nightly, containing libbroccoli
and libbroccoli-devel-nightly, containing the header files for libbroccoli
The obs interface showing the status and sources is available at
https://build.opensuse.org/package/show/home:0xxon:bro/bro-nightly and
downloads are available at
http://software.opensuse.org/download.html?project=home%3A0xxon%3Abro&packa…
(locations will change in the future).
If you add the repositories to your distribution, new nightly builds
should automatically be installed each time bro is updated.
Additionally, Bro 2.3.2 packages are available at
https://build.opensuse.org/package/show/home:0xxon:bro/bro.
At the moment, this is in an early stage and I would be happy to receive
any kind of feedback or problems that you encounter when using these
packages. Please note that the packages have not gone through a lot of
testing and that you should not use them in a production environment :)
Johanna
[ https://bro-tracker.atlassian.net/browse/BIT-1255?page=com.atlassian.jira.p… ]
Vern Paxson commented on BIT-1255:
----------------------------------
That behavior is to not chew up tons of buffer when asymmetric routing leads to not seeing any acks. *However* I'm finding that modern traffic not infrequently is using much larger initial windows such that indeed there's routinely > 4KB of data at the beginning of a flow without any acknowledgments. I think this value needs to be cranked to at least 16KB lest a lot of routine traffic goes unanalyzed.
> TCP reassembly issue
> --------------------
>
> Key: BIT-1255
> URL: https://bro-tracker.atlassian.net/browse/BIT-1255
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.3
> Environment: CentOS 6
> Reporter: Jimmy Jones
> Attachments: out.pcap
>
>
> Been testing bro with some messy (but valid) TCP streams, using docker and netem (happy to upload a gist if people are interested).
> The attached file reassembles correctly in wireshark, but bro only gives the first 4069 bytes when extracted with the file analysis framework, and obviously the wrong hash (md5 is the URI).
--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
[ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.p… ]
Robin Sommer reassigned BIT-1319:
---------------------------------
Assignee: Robin Sommer
> topic/jsiwek/broker
> -------------------
>
> Key: BIT-1319
> URL: https://bro-tracker.atlassian.net/browse/BIT-1319
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: Bro
> Reporter: Jon Siwek
> Assignee: Robin Sommer
> Fix For: 2.4
>
>
> The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker.
> Notes/Disclaimers/Caveats:
> - Bro has a --enable-broker configure flag.
> - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that.
> - no C bindings yet
> - no Python bindings yet
> - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc.
--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
[ https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.p… ]
Daniel Thayer commented on BIT-1320:
------------------------------------
I just added another commit to this branch to address an issue reported on the bro mailing list
involving PF_RING+DNA interface names.
> topic/jazoff/broctld
> --------------------
>
> Key: BIT-1320
> URL: https://bro-tracker.atlassian.net/browse/BIT-1320
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: BroControl
> Reporter: Daniel Thayer
> Fix For: 2.4
>
>
> Branch topic/jazoff/broctld in the broctl repo contains significant code reorganization
> for the upcoming broctld. Here is a high-level list of changes:
> 1) Refactor broctl to make it usable as a library (reduce global state, module-level setup code, and functions return results instead of printing),
> 2) Integrate ssh_runner code into broctl to fix current problems (use only one connection per host instead of one per Bro node, broctl shouldn't hang when a host goes down or if we forgot to run "broctl install"),
> 3) Write state info using SQLite state storage instead of writing to a plain text file (broctl.dat),
> 4) When the node config changes, we now do additional checks if there are any Bro nodes running that are no longer in our node config and warn user if any are detected,
> 5) Keep track of the expected state (running or stopped) of each Bro node, and have broctl cron start or stop nodes as needed,
> 6) Improved broctl cron by adding two new options (MailHostUpDown and StatsLogEnable) to enable users the option to turn off unwanted functionality to speed up broctl cron and reduce the chance of errors,
> 7) When broctl cron tries to send email but fails, now it will output a message that includes the text it was trying to mail,
> 8) Silence warning messages (that are intended for interactive use of broctl) when broctl cron runs to reduce unwanted emails from cron,
> 9) Added new broctl option StatusCmdShowAll to enable users to speed up "broctl status" significantly,
> 10) Fixed the stats-to-csv script to not create files that can never include any data,
> 11) Fixed archive-log script to detect exit status of gzip or cp command, so that we don't delete log file when the archival fails,
> 12) Improved post-terminate script to process log files more consistently,
> 13) Made all broctl command output go to stdout (previously, some output would go to stderr, which made grepping or redirecting the output more difficult),
> 14) Improved the default broctl.cfg file to show more of the useful options,
> 15) Added more error checks to help catch errors earlier,
> 16) Some error message output is more specific and helpful now
>
--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
[ https://bro-tracker.atlassian.net/browse/BIT-1322?page=com.atlassian.jira.p… ]
Daniel Thayer commented on BIT-1322:
------------------------------------
Branch topic/dnthayer/ticket1322 in the btest repo contains the fix, and also improved
documentation about the timing functionality.
> btest should warn when using -T option but cannot create timing baseline
> ------------------------------------------------------------------------
>
> Key: BIT-1322
> URL: https://bro-tracker.atlassian.net/browse/BIT-1322
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: BTest
> Reporter: Daniel Thayer
> Fix For: 2.4
>
>
> When using "btest -T" on a system that cannot perform timing measurements there
> is no warning message to notify the user that the requested operation (create a timing
> baseline) cannot be performed. This is especially confusing on a Linux machine
> that has the "perf" command installed, but not other required components.
--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
[ https://bro-tracker.atlassian.net/browse/BIT-1322?page=com.atlassian.jira.p… ]
Daniel Thayer updated BIT-1322:
-------------------------------
Status: Merge Request (was: Open)
> btest should warn when using -T option but cannot create timing baseline
> ------------------------------------------------------------------------
>
> Key: BIT-1322
> URL: https://bro-tracker.atlassian.net/browse/BIT-1322
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: BTest
> Reporter: Daniel Thayer
> Fix For: 2.4
>
>
> When using "btest -T" on a system that cannot perform timing measurements there
> is no warning message to notify the user that the requested operation (create a timing
> baseline) cannot be performed. This is especially confusing on a Linux machine
> that has the "perf" command installed, but not other required components.
--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
Daniel Thayer created BIT-1322:
----------------------------------
Summary: btest should warn when using -T option but cannot create timing baseline
Key: BIT-1322
URL: https://bro-tracker.atlassian.net/browse/BIT-1322
Project: Bro Issue Tracker
Issue Type: Problem
Components: BTest
Reporter: Daniel Thayer
Fix For: 2.4
When using "btest -T" on a system that cannot perform timing measurements there
is no warning message to notify the user that the requested operation (create a timing
baseline) cannot be performed. This is especially confusing on a Linux machine
that has the "perf" command installed, but not other required components.
--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
[ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.p… ]
Jon Siwek updated BIT-1319:
---------------------------
Description:
The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker.
Notes/Disclaimers/Caveats:
- Bro has a --enable-broker configure flag.
- requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that.
- no C bindings yet
- no Python bindings yet
- other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc.
was:
The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker.
Notes/Disclaimers/Caveats:
- Bro has a --enable-broker configure flag.
- requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that.
- no C bindings yet
- no Python bindings yet
- other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc.
- the serialization format for persistent data stores is currently unversioned, so backwards compatibility is pretty sketchy for most data types if they're ever changed in the future. Should be easy to add a version tag for each C++ class/struct that needs to be persisted. Do we also need to assume persistent data may be transferred to different hosts (i.e. be mindful of endianness) ? I guess that could even be an option left to user to select if they're certain they'd rather have a bit better performance than portability.
> topic/jsiwek/broker
> -------------------
>
> Key: BIT-1319
> URL: https://bro-tracker.atlassian.net/browse/BIT-1319
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: Bro
> Reporter: Jon Siwek
> Fix For: 2.4
>
>
> The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker.
> Notes/Disclaimers/Caveats:
> - Bro has a --enable-broker configure flag.
> - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that.
> - no C bindings yet
> - no Python bindings yet
> - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc.
--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)