zeek-dev April 2016

zeek-dev@lists.zeek.org

151 discussions

[Bro-Dev] Per item expiration for tables

by Jan Grashöfer

Hi, I have a few things I am planning to add to the intel-framework. One of them is expiration for intelligence items. To achieve per item expiration in a table there is a little hack that is used in the notice-framework and in the new netcontrol-framework: By setting &create_expire=0 and returning the intended timeout for each item in the corresponding expire_func, one can achieve per item expiration (see e.g. scripts/base/frameworks/netcontrol/catch-and-release.bro). This approach however does not work for &read_expire and &write_expire, because accessing the item resets the expiration timeout based on the &read/write_expire attribute of the table (in this case 0) instead of the value that was previously returned by the expire_func. The following script demonstrates this effect: https://gist.github.com/J-Gras/061983dac59224a03d3bfad4476a1dd9 The straight-forward solution would be to allow each item to hold its own expiration timeout. Talking to Seth about this, we came up with two possible approaches to achieve this: 1) Use the return value of the expire_func to set this value. 2) Use a bif or language feature (e.g. expire 10sec { tbl[idx] }; ) to set this value. I would prefer the second approach, as the intention of the expire_func return value is to provide a delay for a single expiration event. This would e.g. allow to set an individual expire timeout of e.g. 1 hour for a single item. Once the expire_func is called one could set a delay of e.g. 10min. In case the item is accessed, the timeout would be reset to the originally intended 1 hour instead of 10min. What are your opinions on that? Which approach would you prefer or do you think per item expiration is a bad idea in general? Best regards, Jan

4 years, 5 months

[Bro-Dev] Opaque type in plugin

by Jan Grashöfer

Hi, just a quick question: Is it possible to create a new opaque type for Bro using a dynamic plugin without touching Bro sources? Best regards, Jan

4 years, 7 months

[Bro-Dev] which of these Lintian error messages need tickets?

by Dopheide, Jeannette M

Hello Bro-Dev, See link: https://lintian.debian.org/full/bengen@debian.org.html#bro_2.4.1_x2bdfsg-2 Below I've listed the errors/alerts associated with the software we develop (e.g., bro, broctl, btests, etc.) and grouped them by error message. Which, if any, of these errors need a ticket to fix? 1. binary file built without LFS support binpac: binary-file-built-without-LFS-support<https://lintian.debian.org/tags/binary-file-built-without-LFS-support.html> usr/bin/binpac bro (2.4.1+dfsg-2+b3; main): binary-file-built-without-LFS-support<https://lintian.debian.org/tags/binary-file-built-without-LFS-support.html> usr/bin/bro bro-aux (0.35-1): binary-file-built-without-LFS-support<https://lintian.debian.org/tags/binary-file-built-without-LFS-support.html> usr/bin/nfcollector 2. binary without manpage binpac (0.44-1): binary-without-manpage<https://lintian.debian.org/tags/binary-without-manpage.html> usr/bin/binpac usr/bin/binpac btest (0.54-1): binary-without-manpage<https://lintian.debian.org/tags/binary-without-manpage.html> usr/bin/btest usr/bin/btest-ask-update usr/bin/btest-bg-run usr/bin/btest-bg-run-helper usr/bin/btest-bg-wait usr/bin/btest-diff usr/bin/btest-diff-rst usr/bin/btest-rst-cmd usr/bin/btest-rst-include usr/bin/btest-rst-pipe usr/bin/btest-setsid 3. hardening no bindnow binpac (0.44-1): hardening-no-bindnow<https://lintian.debian.org/tags/hardening-no-bindnow.html> usr/bin/binpac usr/bin/binpac bro (2.4.1+dfsg-2+b3; main): hardening-no-bindnow<https://lintian.debian.org/tags/hardening-no-bindnow.html> usr/bin/bro usr/bin/bro bro-aux (0.35-1): hardening-no-bindnow<https://lintian.debian.org/tags/hardening-no-bindnow.html> usr/bin/adtrace usr/bin/adtrace usr/bin/bro-cut usr/bin/bro-cut usr/bin/ftwire2bro usr/bin/ftwire2bro usr/bin/nfcollector usr/bin/nfcollector usr/bin/rst usr/bin/rst capstats (0.22-1): hardening-no-bindnow<https://lintian.debian.org/tags/hardening-no-bindnow.html> usr/bin/capstats usr/bin/capstats 4. hardening no pie binpac (0.44-1): hardening-no-pie<https://lintian.debian.org/tags/hardening-no-pie.html> usr/bin/binpac usr/bin/binpac bro (2.4.1+dfsg-2+b3; main): hardening-no-pie<https://lintian.debian.org/tags/hardening-no-pie.html> usr/bin/bro usr/bin/bro bro-aux (0.35-1): hardening-no-pie<https://lintian.debian.org/tags/hardening-no-pie.html> usr/bin/adtrace usr/bin/adtrace usr/bin/bro-cut usr/bin/bro-cut usr/bin/ftwire2bro usr/bin/ftwire2bro usr/bin/nfcollector usr/bin/nfcollector usr/bin/rst usr/bin/rst capstats (0.22-1): hardening-no-pie<https://lintian.debian.org/tags/hardening-no-pie.html> usr/bin/capstats usr/bin/capstats 5. no ctrl scripts binpac (0.44-1): no-ctrl-scripts<https://lintian.debian.org/tags/no-ctrl-scripts.html> bro (2.4.1+dfsg-2+b3; main): no-ctrl-scripts<https://lintian.debian.org/tags/no-ctrl-scripts.html> bro-common: no-ctrl-scripts<https://lintian.debian.org/tags/no-ctrl-scripts.html> bro-aux (0.35-1): no-ctrl-scripts<https://lintian.debian.org/tags/no-ctrl-scripts.html> capstats (0.22-1): no-ctrl-scripts<https://lintian.debian.org/tags/no-ctrl-scripts.html> 6. static library has unneeded section binpac (0.44-1): static-library-has-unneeded-section<https://lintian.debian.org/tags/static-library-has-unneeded-section.html> usr/lib/libbinpac.a(binpac_buffer.cc.o) .comment usr/lib/libbinpac.a(binpac_buffer.cc.o) .comment usr/lib/libbinpac.a(binpac_bytestring.cc.o) .comment usr/lib/libbinpac.a(binpac_bytestring.cc.o) .comment usr/lib/libbinpac.a(binpac_regex.cc.o) .comment usr/lib/libbinpac.a(binpac_regex.cc.o) .comment 7. unused override bro (2.4.1+dfsg-2+b3; main): unused-override<https://lintian.debian.org/tags/unused-override.html> description-starts-with-package-name 8. extended description is probably too short bro-common: extended-description-is-probably-too-short<https://lintian.debian.org/tags/extended-description-is-probably-too-short.…> 9. ctrl script (is this really an error? it doesn't seem like one) broctl (1.4-1): ctrl-script<https://lintian.debian.org/tags/ctrl-script.html> postinst prerm btest (0.54-1): ctrl-script<https://lintian.debian.org/tags/ctrl-script.html> postinst prerm 10. vcs field uses insecure uri trace-summary (0.84-1): vcs-field-uses-insecure-uri<https://lintian.debian.org/tags/vcs-field-uses-insecure-uri.html> vcs-browser http://anonscm.debian.org/cgit/collab-maint/trace-summary.git vcs-git git://anonscm.debian.org/collab-maint/trace-summary.git<http://debian.org/collab-maint/trace-summary.git> ------ Jeannette M. Dopheide Bro Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

4 years, 7 months

[Bro-Dev] [JIRA] (BIT-1580) Add ipv6 detection to conn.log

by Malware Utkonos (JIRA)

Malware Utkonos created BIT-1580: ------------------------------------ Summary: Add ipv6 detection to conn.log Key: BIT-1580 URL: https://bro-tracker.atlassian.net/browse/BIT-1580 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 2.4 Reporter: Malware Utkonos This is an additional column added to conn.log to determine if the connection is using ipv6. The address itself makes this clear, but it is much easier to grep for T/F than examining the address. Pull request with patch: https://github.com/bro/bro/pull/70 -- This message was sent by Atlassian JIRA (v1000.5.0#72002)

4 years, 7 months

[Bro-Dev] [Auto] Merge Status

by Merge Tracker

Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ------------------------------------------------------ BIT-1579 [1] Bro Johanna Amann - 2016-04-29 2.5 Normal Please merge topic/johanna/xmpp-starttls BIT-1571 [2] BroControl Adam Slagell - 2016-04-28 2.5 Low Connection summaries w/ IPv6 have poor readabiity BIT-1510 [3] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [4] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ------------------------------------------------------- 373c872 [5] bro Daniel Thayer 2016-04-29 Fix a few incorrect type tags in Bro broker source code 362bf7a [6] bro Daniel Thayer 2016-04-27 Update docs and tests of the fmt() function 23d2562 [7] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [8] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [9] bro J-Gras [10] 2016-04-07 Fixed matching mail address intel [11] #22 [12] bro-plugins nickwallen [13] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [14] #18 [15] bro-plugins jshlbrd [16] 2016-03-03 SSDP analyzer [17] [1] BIT-1579 https://bro-tracker.atlassian.net/browse/BIT-1579 [2] BIT-1571 https://bro-tracker.atlassian.net/browse/BIT-1571 [3] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [4] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [5] 373c872 https://github.com/bro/bro/commit/373c872e939f97c498b029cd08d4b24c0ab71c70 [6] 362bf7a https://github.com/bro/bro/commit/362bf7aee12814781ef97242accb176423cd2a64 [7] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [8] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [9] Pull Request #52 https://github.com/bro/bro/pull/52 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [12] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [13] nickwallen https://github.com/nickwallen [14] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [15] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [16] jshlbrd https://github.com/jshlbrd [17] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp

4 years, 7 months

[Bro-Dev] [JIRA] (BIT-1579) Please merge topic/johanna/xmpp-starttls

by Johanna Amann (JIRA)

Johanna Amann created BIT-1579: ---------------------------------- Summary: Please merge topic/johanna/xmpp-starttls Key: BIT-1579 URL: https://bro-tracker.atlassian.net/browse/BIT-1579 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.5 Please merge topic/johanna/xmpp-starttls This branch adds very basic support for XMPP, just up to the point when SSL encryption starts, when it switches to the SSL analyzer. Similar to the case of IMAP, this allows us to extract certificates from xmpp sessions that are upgraded. -- This message was sent by Atlassian JIRA (v1000.5.0#72002)

4 years, 7 months

[Bro-Dev] [JIRA] (BIT-1579) Please merge topic/johanna/xmpp-starttls

by Johanna Amann (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1579?page=com.atlassian.jira.p… ] Johanna Amann updated BIT-1579: ------------------------------- Status: Merge Request (was: Open) > Please merge topic/johanna/xmpp-starttls > ----------------------------------------- > > Key: BIT-1579 > URL: https://bro-tracker.atlassian.net/browse/BIT-1579 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.5 > > > Please merge topic/johanna/xmpp-starttls > This branch adds very basic support for XMPP, just up to the point when SSL encryption starts, when it switches to the SSL analyzer. Similar to the case of IMAP, this allows us to extract certificates from xmpp sessions that are upgraded. -- This message was sent by Atlassian JIRA (v1000.5.0#72002)

4 years, 7 months

[Bro-Dev] [Auto] Merge Status

by Merge Tracker

Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ------------------------------------------------------ BIT-1571 [1] BroControl Adam Slagell - 2016-04-28 2.5 Low Connection summaries w/ IPv6 have poor readabiity BIT-1510 [2] BroControl Seth Hall Justin Azoff 2016-04-07 2.5 Normal Crash reports when no crash happened BIT-1507 [3] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ------------------------------------------------------- 373c872 [4] bro Daniel Thayer 2016-04-29 Fix a few incorrect type tags in Bro broker source code 362bf7a [5] bro Daniel Thayer 2016-04-27 Update docs and tests of the fmt() function 23d2562 [6] bro Seth Hall 2016-04-13 Revert "Fix RFB analyzer to build on FreeBSD" 16c0707 [7] bro Daniel Thayer 2016-04-13 Fix RFB analyzer to build on FreeBSD Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------- ---------- ----------------------------------------------------------------------- #52 [8] bro J-Gras [9] 2016-04-07 Fixed matching mail address intel [10] #22 [11] bro-plugins nickwallen [12] 2016-04-11 BIT-1559 Bro-Plugins Send each log stream to different kafka topic [13] #18 [14] bro-plugins jshlbrd [15] 2016-03-03 SSDP analyzer [16] [1] BIT-1571 https://bro-tracker.atlassian.net/browse/BIT-1571 [2] BIT-1510 https://bro-tracker.atlassian.net/browse/BIT-1510 [3] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [4] 373c872 https://github.com/bro/bro/commit/373c872e939f97c498b029cd08d4b24c0ab71c70 [5] 362bf7a https://github.com/bro/bro/commit/362bf7aee12814781ef97242accb176423cd2a64 [6] 23d2562 https://github.com/bro/bro/commit/23d25628ad9473f2a0faecafb1d6eb157a141673 [7] 16c0707 https://github.com/bro/bro/commit/16c0707b1d804ccfcc671fb9642a0c21ffd7219f [8] Pull Request #52 https://github.com/bro/bro/pull/52 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [11] Pull Request #22 https://github.com/bro/bro-plugins/pull/22 [12] nickwallen https://github.com/nickwallen [13] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/nickwallen/bro-plugins.git support-many-kafka-topics [14] Pull Request #18 https://github.com/bro/bro-plugins/pull/18 [15] jshlbrd https://github.com/jshlbrd [16] Merge Pull Request #18 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro-plugins-1.git topic/jshlbrd/ssdp

4 years, 7 months

[Bro-Dev] Timing regression?

by Robin Sommer

I just ran the external testsuite for current master on my development system, and I'm seeing some quite increased execution times: [ 50%] tests.short ... failed (+3.4%) [ 75%] tests.medium ... failed (+1.5%) [ 28%] tests.m57-short ... failed (+4.6%) [ 71%] tests.ipv6 ... failed (+39.8%) [ 85%] tests.m57-long ... failed (+9.8%) The short tests are prone to fluctuate in timing, but the increases for ipv6 and m57-long are sticking out. Any ideas what could be causing this? Robin -- Robin Sommer * ICSI/LBNL * robin(a)icir.org * www.icir.org/robin

4 years, 7 months

[Bro-Dev] [JIRA] (BIT-1449) Wrap Broker Bifs into script-level functions

by Robin Sommer (JIRA)

[ https://bro-tracker.atlassian.net/browse/BIT-1449?page=com.atlassian.jira.p… ] Robin Sommer updated BIT-1449: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Wrap Broker Bifs into script-level functions > -------------------------------------------- > > Key: BIT-1449 > URL: https://bro-tracker.atlassian.net/browse/BIT-1449 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Robin Sommer > Assignee: Robin Sommer > Fix For: 2.5 > > > When working with Broker in Bro, one currently calls its bifs directly. That works just fine, but is a problem for documentation: the bifs are defined outside of the Broker framework, splitting the information across two places. > We should do here what other framework do: rename the Bifs to have internal-only names ({{__<name>}}) and then provide wrapper functions inside the framework that just forward to those internals ones. -- This message was sent by Atlassian JIRA (v1000.5.0#72002)

4 years, 7 months

Jump to page:

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

zeek-dev April 2016