Re: [Bro-Dev] Building bro 2.6 with static broker/caf libraries

____ > bro-dev mailing list > bro-dev@bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] attributes & named types

emember those discussions we had about &log back then and I remember being the one that pushed for it but even then I didn't feel particularly comfortable with it (as I recall you feeling). .Seth -- Seth Hall * Corelight, Inc * www.corelight.com

Re: [Bro-Dev] "bro" name is non-inclusive? (Contribution is rejected based )

http://blog.bro.org/2018/10/renaming-bro-project_11.html Thanks for writing the uap plugin! .Seth -- Seth Hall * Corelight, Inc * www.corelight.com > On Mar 9, 2018, at 12:55 AM, Vitaly Repin wrote: > > Hello, > > I would like to bring your attention to one strange and unexpecte

Re: [Bro-Dev] DHCP event removal

ncourage people to refer to fields by the field name rather than the ordinal position of the field. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] DHCP event removal

Thanks Vlad! .Seth On 16 Jun 2018, at 9:07, Vlad Grigorescu wrote: > Yep, already working on it. :-) > > On Sat, Jun 16, 2018 at 6:26 AM, Seth Hall wrote: > >> >> On 15 Jun 2018, at 17:22, Azoff, Justin S wrote: >> >>> The fix is a little trickier, y

Re: [Bro-Dev] DHCP event removal

Bro has re-reached the point where touching any number of things can set off an avalanche of problems like this. Anyone on this thread up for submitting a patch which makes Bro cope with the changes automatically? You can then even mark the old events as deprecated. :) .Seth -

Re: [Bro-Dev] DHCP event removal

On 15 Jun 2018, at 20:02, Michał Purzyński wrote: > Hey, I use the dhcp analyzer because i cannot count on our dhcp logs. > Not just that, I do some detection around it. How much trouble is it to migrate your scripts to what's in Bro master? .Seth -- Seth Hall * Cor

Re: [Bro-Dev] DHCP event removal

note in the release to say that developers will need to handle a new event to get the data. On the upside, you can handle both the old events and the new and they shouldn't impact each other (if you want to make a script work on multiple releases). .S

Re: [Bro-Dev] Moving to GitHub?

t sure if we'd be able to do all of the git work from that though. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Final Broker branch testing

int but now I can't wait for you to be able to turn your attention to other stuff soon. :) Thanks! .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] timer delays between different events for same connection

second so you see Bro's clock driven forward in very tiny increments as you would expect. If you go a long time without receiving a packet is when stuff gets tricky. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing

Re: [Bro-Dev] Bro SMB1 Issue in smb_cmd.log

(c) smb_cmd.log (d) smb_files.log (e) files.log (f) conn.log (g) packet_filter.log Not sure what is going wrong. Please help. Cheers, Mark ___ bro-dev mailing list bro-dev@bro.org h

Re: [Bro-Dev] Queueing in Broker?

ly be willing to receive up to the 1000 most recent message or up to 1MByte of data. I still haven't spent time with the broker API to see if these thoughts actually make sense though. :) .Seth -- Seth Hall * Corelight, Inc * www.corelight.com __

Re: [Bro-Dev] Shipping CAF with Broker?

oncerned about the difficulty of building Bro from source too. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Logging TCP server banners

/or a way to know that the client has not sent any data on > the connection (like an equivalent of the `seq` parameter, but for the > `ack`)? > > Also, when `seq` equals 1, am I certain that I have not missed any > packet from the server? > > One more question: is there a better, cleaner, etc. way to do what I'm > trying to do? > > Thanks a lot, > > Pierre > > -- > Pierre > http://pierre.droids-corp.org/ > ___ > bro-dev mailing list > bro-dev@bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Bro DCE-RPC Fix for AlterContext and AlterContextResponse Parsers

; > Cheers, > Mark > > -Original Message- > From: Seth Hall [mailto:s...@corelight.com] > Sent: Saturday, February 3, 2018 10:46 PM > To: Fernandez, Mark I > Cc: bro-dev@bro.org > Subject: Re: [Bro-Dev] Bro DCE-RPC Fix for AlterContext and > AlterContextResponse Parsers &

Re: [Bro-Dev] Bro DCE-RPC Fix for AlterContext and AlterContextResponse Parsers

o submit the changes along with tests. Thanks, .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Bro DCE-RPC Analyzer Questions

existed with either of your outlined implementations I don't think we could resist merging it in. ;) .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Bro DCE-RPC Analyzer Questions

___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Merged branches deletion

> Johanna > ___ > bro-dev mailing list > bro-dev@bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] 'async' update and proposal

e if we went that direction though? It seems like it could cause trouble by causing events to backup waiting for some other event to finish executing. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@

Re: [Bro-Dev] SMB transaction messages pull request

Thanks Jon! I do apologize Jeffrey, the pull request was my responsibility and I've been meaning to get to it. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com > On Jan 2, 2018, at 11:58 AM, Jon Siwek wrote: > > On Fri, Dec 29, 2017 at 2:19 AM, Bencteux Jeffrey >

Re: [Bro-Dev] Scientific notation?

ing > the > current behavior. Ah, I like that idea. I think the current logs (both JSON formatted and normal Bro format) are fine for most people, but for the people that actually want doubles displayed differently this could give them that option. .Seth -- Seth Hall * Coreligh

[Bro-Dev] Scientific notation?

k and they all support scientific notation (I think that was part of my concern a long time ago). Thoughts? .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/lis

Re: [Bro-Dev] [Bro-Commits] [git/bro] topic/actor-system: First-pass broker-enabled Cluster scripting API + misc. (07ad06b)

Some of these changes sound like they could take a while to prototype and figure out how they would be effectively used. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] New CAF release for new Broker

ore. Woohoo! It's getting closer. :) .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] NETMAP plugin

bro-pkg install bro/bro-netmap You can read some more directions about how to use it in the repository here: https://github.com/bro/bro-netmap .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org

Re: [Bro-Dev] Configuration framework syntax proposal

On 22 Sep 2017, at 16:26, Jan Grashöfer wrote: >> module Foo; >> >> export { >> >> ## The username for our new feature. >> ## >> ## Display: User Name >> option user_name: string; >> >> } > > I really like tha

Re: [Bro-Dev] Configuration framework syntax proposal

or instance, has a types tab which documents the names >> of >> the parameters, and what they do: >> https://forge.puppet.com/puppetlabs/mysql/types This would be pretty >> easy >> to do with the Broxygen documentation, and a UI could also expose >> this. >

Re: [Bro-Dev] Configuration framework syntax proposal

owing "Username". Sometimes abstraction like this isn't warranted, but I think it has to be done here. Bro needs to turn into a platform that treats users as first class citizens in the community and we need to acknowledge that there will be a day that they won't be reading scrip

Re: [Bro-Dev] Configuration framework syntax proposal

long and explanatory but may not end up being just right if someone simply wants to configure a behavior. There's also the problem of single level namespaces which will limit the expressiveness and depth that you could possibly give through configuration keys. .Seth -- Seth Hall * C

Re: [Bro-Dev] ASCII response filetype

ably in most cases just an empty JSON array. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Adding a non-Bro script packages to bro-pkg

nt of Bro Packages makes sense. I always forget how many little tools are laying around that various people have written to process logs. Having those in the central repository would be really nice. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com __

Re: [Bro-Dev] bro-pkg dependencies ?

e corelight/top-dns package. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] input-framework file locations

ta stores to store and retrieve your data. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] send_id (Re: [Bro-Commits] [git/bro] topic/jsiwek/actor-system: Finish port of control framework to use broker. (8dddae1))

zed message. > > > > And I think deserializing into 'any' would be needed because it's > > not possible to e.g. explicitly enumerate all possible types in a Bro > > script and have a particular event signature to use for any given > one. &

Re: [Bro-Dev] clusterization issue: logger node vs manager node or both ?

nt of the logger is that it doesn't have any script execution tasks to take care of and it's solely dedicated to logging. What's the problem you're trying to solve by running code there? .Seth -- Seth Hall * Corelight, Inc * s.

Re: [Bro-Dev] 2.5.1 release?

Any opinions? I'd be fine with that. I think master is quite stable right now anyway. .Seth -- Seth Hall * Corelight, Inc * s...@corelight.com * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] can I send an opaque of bloomfilter over Cluster::manager2worker_event ?

king of this, I think we still need to have broctl autogenerate a file with this configured to a random value when it starts up (if that file doesn't already exist). That way everyones cluster will end up with a random value that stays consistent across restarts. .Seth -- Seth

[Bro-Dev] ConfigurePackaging in plugins?

I'm casting around for thoughts on adding a mechanism to add the ConfigurePackaging cmake packaging mechanism to plugins without having to replicate the cmake script in the main cmake repository or making near-clones of it. Is there some way we could use that script from the main Bro repository

Re: [Bro-Dev] [desired broker api as oppose to whats in known-hosts.bro]

veruse of "when" for instance). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] Bro packages with plugins

many we could avoid with static linking. - We would probably have to create more project infrastructure to build packages. Other thoughts? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/

Re: [Bro-Dev] Splitting up init-bare?

ll of a protocol ephemera tied closely with it. Would that work? I know that internal and external plugins have some differences, but I don't know if that means we're limited in a bit in how we handle script land required data structures for analyzers. .Seth -- Seth Hall Intern

Re: [Bro-Dev] Scaling out bro cluster communication

know that in the current programming model, making this cluster aware but still work not on a cluster can be painful to create the right abstraction. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ __

Re: [Bro-Dev] Broker's remote logging (BIT-1784)

writes out the data it receives. Just to pile onto this, I think it should be this way too. I'd really like to avoid script code executing on the logger. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has

Re: [Bro-Dev] [Bro] ActiveHTTP

e at all? I think we've had too many new Bro programmers get frustrated with this behavior which worries me a little bit. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___

Re: [Bro-Dev] plugins/hooks test fail in the new year

e thing with the mugs kind of fell flat anyway. :( .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] [Proposal] Language extensions for better Broker support

an really complain here. >> I find "Error::Success" really unintuitive and kind of funny too. :) > > Yeah, agree, that's part of the question what namespace to use. > "Broker::Success" would certainly be nicer. Yep. .Seth -- Seth Ha

Re: [Bro-Dev] [Proposal] Language extensions for better Broker support

cast the value to an error type, maybe like this... if ( v as error == Error::Success ) I find "Error::Success" really unintuitive and kind of funny too. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___

Re: [Bro-Dev] [Proposal] Language extensions for better Broker support

aving nicely generalized error handling in Bro would be such a huge benefit for script authors. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mai

Re: [Bro-Dev] bro-pkg support for centralized package structures?

rectives choosing to load certain scripts on different systems, etc). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.

Re: [Bro-Dev] Outstanding 2.5 tickets recap

-tracker.atlassian.net/browse/BIT-1711?filter=10001 > Seth, this is just waiting on more feedback on the problem I think Left a note. I'll be working on stuff this weekend... again. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network h

Re: [Bro-Dev] bro-pkg -> bropkg

> On Sep 22, 2016, at 10:45 AM, Seth Hall wrote: > > Yeah, I think changing bro-cut is too far gone at this point. I was only > asking about bro-pkg because it's so new and so few people have it installed. Quick follow up. I'm fine leaving things as-is. It's c

Re: [Bro-Dev] bro-pkg -> bropkg

use it's so new and so few people have it installed. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] ICAP Analyzer Design Guidance

cause the conn_id is used at a table index in a lot of places. Is there somewhere else you could stash the information that you need? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ __

[Bro-Dev] bro-pkg -> bropkg

What does everyone think about making a change to rename bro-pkg to bropkg? I think we're early enough that we could probably get away with it and it fits with more with existing tools like broctl. I find it difficult to type the hyphen too for some reason. Thoughts? .Seth -- Seth

Re: [Bro-Dev] Updating NEWS for 2.5

was reading Michal's email poorly. Everyone seems to be on the same page. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman

Re: [Bro-Dev] Updating NEWS for 2.5

e 2.5 release hasn't happened yet. :) Jan, would you mind if we posted this directly to the Bro blog? (obviously with all credit given to you!) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ _

Re: [Bro-Dev] Warnings building current master

s(const char*, yy_size_t)’: > /home/jgras/devel/bro/build/src/scan.cc:3286:19: warning: comparison > between signed and unsigned integer expressions [-Wsign-compare] > for ( i = 0; i < _yybytes_len; ++i ) > >

Re: [Bro-Dev] SMB in master

that things are working ok, but I don't have any clue what would feel right or wrong. > [ 0%] coverage.bare-mode-errors ... failed Whoops. Fixed. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyo

[Bro-Dev] Kerberos changes

one sees any trouble, let me know. Thanks, .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] SMB in master

that SMB is now in master. :) If you want to run it, make sure you load policy/protocols/smb because it isn't loaded by default. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.br

Re: [Bro-Dev] package manager progress

ame would be > user/redis, for example, and there also could be user2/redis? I may have lost track of the design so I don't know where things stand now, but I think this would make sense too. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has

Re: [Bro-Dev] package manager progress

ining individual plugins that provide a variety of features. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] Remove application/pkix-cert from files.log?

t doing the log. There is one minor issue that this brings up though in that right now certificate hashes are all given in the files.log. We could move them elsewhere like x509.log or ssl.log, but I'm curious if anyone had thoughts on what they think would be most useful? .Seth -- Set

Re: [Bro-Dev] Unified scan.bro script

ngle noticed to watch for for "scanning". Having to watch for two different notices always felt a bit unnatural. I think that I personally care about scans, not the type of scan being performed (although there may be some nuance to that that someone is taking advantage of?). .Seth -

Re: [Bro-Dev] Bro plugins + broctl plugins?

> On Jun 23, 2016, at 2:33 PM, Daniel Thayer wrote: > > Could you specify what the problem is with the current implementation in git > master? I see it now. I'll close again. Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone h

Re: [Bro-Dev] Bro plugins + broctl plugins?

done when he closed it either so I thought it might have been a mistake. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.ics

Re: [Bro-Dev] Bro plugins + broctl plugins?

> On Jun 23, 2016, at 12:52 PM, Slagell, Adam J wrote: > > https://bro-tracker.atlassian.net/browse/BIT-1551 I reopened this ticket since it looks like it was wrongly closed. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://ww

Re: [Bro-Dev] Bro plugins + broctl plugins?

> On Jun 23, 2016, at 12:52 PM, Slagell, Adam J wrote: > > https://bro-tracker.atlassian.net/browse/BIT-1551 Great! Thanks Adam (and Daniel!). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://ww

[Bro-Dev] Bro plugins + broctl plugins?

Has any movement been made on the ability to add broctl plugins into bro plugins? I know we talked about it a few times, and it's sort of becoming necessary are more packet source plugins are showing up in the bro-plugins repository. .Seth -- Seth Hall International Computer Sc

Re: [Bro-Dev] CBAN naming

use suddenly it suddenly feels very natural to explain the contents of a package (or whatever it ends up getting called). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-d

Re: [Bro-Dev] New proposal (Re: CBAN naming)

> On Jun 9, 2016, at 5:32 PM, Siwek, Jon wrote: > > I like the “packages” + “package-manager” combo that Johanna suggests. I like that too. It feels nice and clean. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://ww

Re: [Bro-Dev] Flare removal

ves on the NCSA dev cluster yet? I'd be curious to hear if that fixes the problem. Or do you even see this issue on that cluster? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ __

[Bro-Dev] Flare removal

ing written that are seconds to minutes old. This isn't exactly a request for anyone to do anything, but more a call for anyone that would like to dig around in the core to figure out what is going on here so we can get a fix merged into master. Thanks! .Seth -- Seth Hall International C

Re: [Bro-Dev] 2.5 Roadmap

y sounds > good to me. Agreed, looking forward to the changes Jan! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1581) topic/seth/stats-improvement

[ https://bro-tracker.atlassian.net/browse/BIT-1581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1581: --- Description: This branch is ready to be merged. It makes the "misc/stats.bro" much more

[Bro-Dev] [JIRA] (BIT-1581) topic/seth/stats-improvement

[ https://bro-tracker.atlassian.net/browse/BIT-1581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1581: --- Status: Merge Request (was: Open) > topic/seth/stats-improvem

[Bro-Dev] [JIRA] (BIT-1581) topic/seth/stats-improvement

Seth Hall created BIT-1581: -- Summary: topic/seth/stats-improvement Key: BIT-1581 URL: https://bro-tracker.atlassian.net/browse/BIT-1581 Project: Bro Issue Tracker Issue Type: Improvement

Re: [Bro-Dev] Timing regression?

> On Apr 20, 2016, at 3:49 PM, Robin Sommer wrote: > > No, but I also didn't look further. Could it be the new file > identifications (i.e., the regexps)? That was my thought too. I'll have to look into DFA state creations to see if we've walked into that problem a

Re: [Bro-Dev] Timing regression?

d (+9.8%) Did you ever happen to figure out what was going on with this? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.ic

Re: [Bro-Dev] Test suite failures

> On Apr 13, 2016, at 4:32 PM, Seth Hall wrote: > > It was a macro expansion name conflict. Oops! Now I noticed that you committed into fast path! We did the same fix at least. I suppose we should revert your change out of fast path now. I'll take care of that. .Seth

Re: [Bro-Dev] Test suite failures

e conflict. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1566) RFB (VNC) protocol analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1566: --- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Merged with commit

[Bro-Dev] [JIRA] (BIT-1568) Add rtt field to dns.log

Seth Hall created BIT-1568: -- Summary: Add rtt field to dns.log Key: BIT-1568 URL: https://bro-tracker.atlassian.net/browse/BIT-1568 Project: Bro Issue Tracker Issue Type: Improvement

[Bro-Dev] [JIRA] (BIT-1566) RFB (VNC) protocol analyzer

[ https://bro-tracker.atlassian.net/browse/BIT-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall reassigned BIT-1566: -- Assignee: Seth Hall > RFB (VNC) protocol analy

[Bro-Dev] [JIRA] (BIT-1558) Bro's ascii formatter writing out scientific notation

Seth Hall created BIT-1558: -- Summary: Bro's ascii formatter writing out scientific notation Key: BIT-1558 URL: https://bro-tracker.atlassian.net/browse/BIT-1558 Project: Bro Issue Tracker

Re: [Bro-Dev] [Bro-Commits] [git/bro] master: Files transferred over FTP were showing incorrect sizes. (08399da)

> On Mar 11, 2016, at 5:33 PM, Robin Sommer wrote: > > This seems to be causing a number of baseline mismatches in the > external test suite. I can't tell if they are legitimate, did you run > the tests? Fixed. .Seth -- Seth Hall International Computer Science Ins

Re: [Bro-Dev] [Bro-Commits] [git/bro] master: Files transferred over FTP were showing incorrect sizes. (08399da)

> On Mar 11, 2016, at 5:33 PM, Robin Sommer wrote: > > > On Fri, Mar 11, 2016 at 12:56 -0500, Seth Hall wrote: > >>Files transferred over FTP were showing incorrect sizes. > > This seems to be causing a number of baseline mismatches in the > external test s

[Bro-Dev] [JIRA] (BIT-1544) File analysis code fails due to CheckString

Seth Hall created BIT-1544: -- Summary: File analysis code fails due to CheckString Key: BIT-1544 URL: https://bro-tracker.atlassian.net/browse/BIT-1544 Project: Bro Issue Tracker Issue Type: Problem

Re: [Bro-Dev] Broker updates?

> On Feb 23, 2016, at 10:07 PM, Matthias Vallentin wrote: > > That's currently not supported, but it's on the wish list [1]. Ah, I haven't read through the broker extensions page in much detail yet. Thanks! .Seth -- Seth Hall International Computer Science Institut

[Bro-Dev] Broker updates?

If there are updates to a Broker store, is there a way that I can get evented notification that a key was modified? I'm not seeing anything that provides that functionality yet, but I need it for something I'm working on. .Seth -- Seth Hall International Computer Science Inst

[Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data

[ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24201#comment-24201 ] Seth Hall commented on BIT-1521: What if you change known_services to... {code} table[

Re: [Bro-Dev] get_event_peer() with Broker

s to be done on the manager. I think that giving up that information is reasonable and we do it. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@

Re: [Bro-Dev] SMB2 - NTLM GSSAPI messages continued

e messy cross-structure stuff can happen in scripts. > Any help on this is much appreciated; especially if you think I am > overlooking a hidden can of worms somewhere ;-) >From what you've described here and in our off-list emails, I think you're on >the right track.

Re: [Bro-Dev] get_event_peer() with Broker

d be good for us if we stopped using it completely. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Jenkins errors (Re: [Bro-Commits-Internal] UnitTests - Build # 6935 - Failure!)

ake sure that this is included there for any future plugins that are created. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman

Re: [Bro-Dev] Jenkins errors (Re: [Bro-Commits-Internal] UnitTests - Build # 6935 - Failure!)

which I don't quite understand as c++11 > should be on by default, no?  Oh, is the elasticsearch plugin being built with C++11 enabled? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/

Re: [Bro-Dev] SMB2 - NTLM GSSAPI messages

route as it probably would be to > slow and then we would have two places where this parsing is done. This is almost certainly not a great idea as you learned. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyo

[Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened

[ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23922#comment-23922 ] Seth Hall commented on BIT-1510: I'm actually not completely sure of all of the ca

  1   2   3   4   5   6   >