zeek-dev March 2015

zeek-dev@lists.zeek.org

523 discussions

[Bro-Dev] Bro nightly packages for .dev and .rpm based distributions

by Johanna Amann

Hello, we are considering to provide packages for a number of different .deb and .rpm based distributions starting with Bro 2.4, using the OpenSuse build service. As a first step, I have created a repository that contains nightly Bro builds for CentOs, Debian, Fedora, Suse Linux, Scientific Linux, Univention as well as Ubuntu. At the moment, Bro is installed into /opt/bro and broctl needs root permissions to run. Users in the Bro group (which is automatically created on installation) should be able to modify configuration files like local.bro, or the broctl configuration, and read the log files that Bro writes. The package is called bro-nightly which is a metapackage which pulls in the sub-packages bro-core-nightly, containing only bro without broctl or libbroccoli broctl-nightly, containing broctl libbroccoli-nightly, containing libbroccoli and libbroccoli-devel-nightly, containing the header files for libbroccoli The obs interface showing the status and sources is available at https://build.opensuse.org/package/show/home:0xxon:bro/bro-nightly and downloads are available at http://software.opensuse.org/download.html?project=home%3A0xxon%3Abro&packa… (locations will change in the future). If you add the repositories to your distribution, new nightly builds should automatically be installed each time bro is updated. Additionally, Bro 2.3.2 packages are available at https://build.opensuse.org/package/show/home:0xxon:bro/bro. At the moment, this is in an early stage and I would be happy to receive any kind of feedback or problems that you encounter when using these packages. Please note that the packages have not gone through a lot of testing and that you should not use them in a production environment :) Johanna

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac

by Ted Llewellyn (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.p… ] Ted Llewellyn updated BIT-1361: ------------------------------- Hmmm, that URL is giving me a 403 error when I try to "git clone" it. It didn't ask me for credentials and I'm using 1.7.10.4, so I'm not sure why. Ted Llewellyn Sr. Network Planning Engineer VoIP Engineering Frontier Communications 120 Plymouth Ave. N. Rochester, NY 14608 585-413-9743 > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > Attachments: bro-bt-033115.txt > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet

by Johanna Amann (JIRA)

Johanna Amann created BIT-1364: ---------------------------------- Summary: Bro does not attach UDP analyzers when signature matches after first packet Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support

by Michal Purzynski (JIRA)

Michal Purzynski created BIT-1363: ------------------------------------- Summary: Clustered AF_PACKET support Key: BIT-1363 URL: https://bro-tracker.atlassian.net/browse/BIT-1363 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: git/master Reporter: Michal Purzynski Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac

by Jon Siwek (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.p… ] Jon Siwek commented on BIT-1361: -------------------------------- Ted, want to give the following patch a try? https://github.com/bro/binpac/commit/47333b9be514aeb7c1f8c1463dc40f0157181f… This is in the topic/jsiwek/bit-1361 branch of the binpac git repository. > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > Attachments: bro-bt-033115.txt > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4

by Daniel Thayer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1362?page=com.atlassian.jira.p… ] Daniel Thayer updated BIT-1362: ------------------------------- Status: Merge Request (was: Open) > topic/dnthayer/fixes-for-2.4 > ---------------------------- > > Key: BIT-1362 > URL: https://bro-tracker.atlassian.net/browse/BIT-1362 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.4 > > > The branch topic/dnthayer/fixes-for-2.4 contains fixes that address > BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes > and improvements. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4

by Daniel Thayer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1362?page=com.atlassian.jira.p… ] Daniel Thayer updated BIT-1362: ------------------------------- Description: The branch topic/dnthayer/fixes-for-2.4 contains fixes that address BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes and improvements. > topic/dnthayer/fixes-for-2.4 > ---------------------------- > > Key: BIT-1362 > URL: https://bro-tracker.atlassian.net/browse/BIT-1362 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.4 > > > The branch topic/dnthayer/fixes-for-2.4 contains fixes that address > BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes > and improvements. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4

by Daniel Thayer (JIRA)

Daniel Thayer created BIT-1362: ---------------------------------- Summary: topic/dnthayer/fixes-for-2.4 Key: BIT-1362 URL: https://bro-tracker.atlassian.net/browse/BIT-1362 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Fix For: 2.4 -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac

by Ted Llewellyn (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.p… ] Ted Llewellyn commented on BIT-1361: ------------------------------------ I have attached a backtrace from 3/31/215. > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > Attachments: bro-bt-033115.txt > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014)

6 years, 9 months

[Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac

by Ted Llewellyn (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.p… ] Ted Llewellyn updated BIT-1361: ------------------------------- Attachment: bro-bt-033115.txt > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > Attachments: bro-bt-033115.txt > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014)

6 years, 9 months

Jump to page:

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

zeek-dev March 2015