From f9cd97d78d20ac6ad0875db859909817409171ab Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 15 Aug 2011 20:56:59 -0700
Subject: [PATCH 1/3] Fixing ref'counting problem.

---
 aux/broctl  | 2 +-
 src/Expr.cc | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/aux/broctl b/aux/broctl
index c39622855e..ad8dfaba0c 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit c39622855e3c3a5cc94c7376f86184ed1db1939a
+Subproject commit ad8dfaba0c0c784060aa6f0c5e1fcf62244b1a51
diff --git a/src/Expr.cc b/src/Expr.cc
index c4fbe5930a..2e07c41d28 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -5022,13 +5022,11 @@ Val* ListExpr::InitVal(const BroType* t, Val* aggr) const
 			Expr* e = exprs[i];
 			check_and_promote_expr(e, vec->Type()->AsVectorType()->YieldType());
 			Val* v = e->Eval(0);
-			if ( ! vec->Assign(i, v->RefCnt() == 1 ? v->Ref() : v, e) )
+			if ( ! vec->Assign(i, v, e) )
 				{
 				e->Error(fmt("type mismatch at index %d", i));
 				return 0;
 				}
-
-			Unref(v);
 			}
 
 		return aggr;

From 63eac6c1745b5adcddf26d8413cf0aba0b83e11e Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 15 Aug 2011 21:10:30 -0700
Subject: [PATCH 2/3] Reclassifying more DNS manager errors.

Closes #461.
---
 src/DNS_Mgr.cc | 33 ++++++++++++++++++++-------------
 src/DNS_Mgr.h  |  5 +++--
 2 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc
index e6bebda875..87d0db4dac 100644
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@@ -360,7 +360,7 @@ DNS_Mgr::DNS_Mgr(DNS_MgrMode arg_mode)
 	nb_dns = nb_dns_init(err);
 
 	if ( ! nb_dns )
-		reporter->Warning(fmt("problem initializing NB-DNS: %s", err));
+		reporter->Warning("problem initializing NB-DNS: %s", err);
 
 	dns_mapping_valid = dns_mapping_unverified = dns_mapping_new_name =
 		dns_mapping_lost_name = dns_mapping_name_changed =
@@ -447,7 +447,7 @@ TableVal* DNS_Mgr::LookupHost(const char* name)
 				return d->Addrs()->ConvertToSet();
 			else
 				{
-				reporter->Warning("no such host:", name);
+				reporter->Warning("no such host: %s", name);
 				return empty_addr_set();
 				}
 			}
@@ -460,7 +460,7 @@ TableVal* DNS_Mgr::LookupHost(const char* name)
 		return empty_addr_set();
 
 	case DNS_FORCE:
-		reporter->InternalError("can't find DNS entry for %s in cache", name);
+		reporter->FatalError("can't find DNS entry for %s in cache", name);
 		return 0;
 
 	case DNS_DEFAULT:
@@ -490,7 +490,7 @@ Val* DNS_Mgr::LookupAddr(uint32 addr)
 				return d->Host();
 			else
 				{
-				reporter->Warning("can't resolve IP address:", dotted_addr(addr));
+				reporter->Warning("can't resolve IP address: %s", dotted_addr(addr));
 				return new StringVal(dotted_addr(addr));
 				}
 			}
@@ -503,7 +503,7 @@ Val* DNS_Mgr::LookupAddr(uint32 addr)
 		return new StringVal("<none>");
 
 	case DNS_FORCE:
-		reporter->InternalError("can't find DNS entry for %s in cache",
+		reporter->FatalError("can't find DNS entry for %s in cache",
 				dotted_addr(addr));
 		return 0;
 
@@ -574,7 +574,7 @@ void DNS_Mgr::Resolve()
 		struct nb_dns_result r;
 		status = nb_dns_activity(nb_dns, &r, err);
 		if ( status < 0 )
-			reporter->InternalError(
+			reporter->Warning(
 			    "NB-DNS error in DNS_Mgr::WaitForReplies (%s)",
 			    err);
 		else if ( status > 0 )
@@ -823,7 +823,7 @@ void DNS_Mgr::LoadCache(FILE* f)
 		}
 
 	if ( ! m->NoMapping() )
-		reporter->InternalError("DNS cache corrupted");
+		reporter->FatalError("DNS cache corrupted");
 
 	delete m;
 	fclose(f);
@@ -958,7 +958,7 @@ void DNS_Mgr::IssueAsyncRequests()
 
 		if ( ! dr->MakeRequest(nb_dns) )
 			{
-			reporter->Error("can't issue DNS request");
+			reporter->Warning("can't issue DNS request");
 			req->Timeout();
 			continue;
 			}
@@ -1095,7 +1095,10 @@ int DNS_Mgr::AnswerAvailable(int timeout)
 	{
 	int fd = nb_dns_fd(nb_dns);
 	if ( fd < 0 )
-		reporter->InternalError("nb_dns_fd() failed in DNS_Mgr::WaitForReplies");
+		{
+		reporter->Warning("nb_dns_fd() failed in DNS_Mgr::WaitForReplies");
+		return -1;
+		}
 
 	fd_set read_fds;
 
@@ -1110,13 +1113,17 @@ int DNS_Mgr::AnswerAvailable(int timeout)
 
 	if ( status < 0 )
 		{
-		if ( errno == EINTR )
-			return -1;
-		reporter->InternalError("problem with DNS select");
+		if ( errno != EINTR )
+			reporter->Warning("problem with DNS select");
+
+		return -1;
 		}
 
 	if ( status > 1 )
-		reporter->InternalError("strange return from DNS select");
+		{
+		reporter->Warning("strange return from DNS select");
+		return -1;
+		}
 
 	return status;
 	}
diff --git a/src/DNS_Mgr.h b/src/DNS_Mgr.h
index 580eae92f1..151c05289f 100644
--- a/src/DNS_Mgr.h
+++ b/src/DNS_Mgr.h
@@ -100,8 +100,9 @@ protected:
 	void LoadCache(FILE* f);
 	void Save(FILE* f, PDict(DNS_Mapping)& m);
 
-	// Selects on the fd to see if there is an answer available (timeout is
-	// secs). Returns 0 on timeout, -1 on EINTR, and 1 if answer is ready.
+	// Selects on the fd to see if there is an answer available (timeout
+	// is secs). Returns 0 on timeout, -1 on EINTR or other error, and 1
+	// if answer is ready.
 	int AnswerAvailable(int timeout);
 
 	// Issue as many queued async requests as slots are available.

From 8286fdeea18e962c2326adfa3d0d5da13e2fce73 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 16 Aug 2011 08:28:08 -0400
Subject: [PATCH 3/3] Updates for SQL injection attack detection to match the
 metrics framework updates.

---
 scripts/policy/protocols/http/detect-sqli.bro | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro
index 45a2bdb205..e2933626f7 100644
--- a/scripts/policy/protocols/http/detect-sqli.bro
+++ b/scripts/policy/protocols/http/detect-sqli.bro
@@ -35,13 +35,13 @@ export {
 
 event bro_init()
 	{
-	Metrics::add_filter(SQL_ATTACKS, [$log=T, 
-	                                  $break_interval=1mins, 
+	Metrics::add_filter(SQL_ATTACKS, [$log=F,
+	                                  $break_interval=5mins, 
 	                                  $note=SQL_Injection_Attacker]);
-	Metrics::add_filter(SQL_ATTACKS_AGAINST, [$log=T, 
-	                                          $break_interval=1mins, 
+	Metrics::add_filter(SQL_ATTACKS_AGAINST, [$log=F, 
+	                                          $break_interval=5mins, 
 	                                          $note=SQL_Injection_Attack, 
-	                                          $notice_thresholds=vector(10,100)]);
+	                                          $notice_threshold=50]);
 	}
 
 event http_request(c: connection, method: string, original_URI: string,
@@ -51,7 +51,7 @@ event http_request(c: connection, method: string, original_URI: string,
 		{
 		add c$http$tags[URI_SQLI];
 		
-		Metrics::add_data(SQL_ATTACKS, [$host=c$id$orig_h]);
-		Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h]);
+		Metrics::add_data(SQL_ATTACKS, [$host=c$id$orig_h], 1);
+		Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h], 1);
 		}
 	}
\ No newline at end of file