bro 0.6 alpha now available

Vern Paxson vern at
Wed Jul 21 23:08:18 PDT 1999

The Bro 0.6 alpha distribution is now available from

There have been a number of additions and changes.  I've appended
the corresponding entries from the CHANGES file.


v0.6 Wed Jul 21 17:02:50 PDT 1999

- Support for regular expressions added.  You specify lex-style regular
  expressions between '/'s, for example "/\/etc\/(passwd|shadow)/" has
  the type "pattern" and matches /etc/passwd or /etc/shadow (the slashes
  in the pattern need to be escaped or else they'd delimit the end of the
  pattern).  Pattern-matching is via the "in" operator, so for example:

	if ( filename in /\/etc\/(passwd|shadow)/ )


	const sensitive_files = /\/etc\/(passwd|shadow)/;


	if ( filename in sensitive_files )

  Presently the "in" operator requires that the entire left-hand side
  be matched by the pattern.  So, for example, if you want to find the
  string "eggdrop" anywhere inside the string "line", you would use

	if ( line in /.*eggdrop.*/ )

  If you leave off either of the .*'s, then eggdrop will only be matched
  at the beginning or end of the line.

  In the future, there will be mechanisms for specifying whether you
  want to match anywhere in a line, or anchored; accordingly, *the above
  syntax is subject to change*.

  Bro compiles regular expressions into DFAs for fast matching.  This can take
  quite a bit of time for complicated patterns.  Consequently, it maintains a
  cache of compiled regular expressions in $HOME/.bro-RE-cache-v1.  You can
  always safely remove this file; Bro will recreate/repopulate it as needed.
  It does not clean up unused entries from it, so if you change your patterns
  frequently, you will accumulated lots of old ones and should delete the
  file to garbage collect them.

- An rlogin analysis module has been added and the telnet analysis
  generalized to generic "login" analysis, with the following events:

	login_failure(c: connection, user: string, client_user: string,
			password: string, line: string)
		Generated on a failed attempt to log in.  client_user is
		the remote user name, if the login is via the rlogin
	login_success(c: connection, user: string, client_user: string,
					password: string, line: string)
		Generated on a successful attempt to log in.

	login_input_line(c: connection, line: string)
		Generated per line of input typed by the user.
	login_output_line(c: connection, line: string)
		Generated per line of output generated by the server.

	login_confused(c: connection, msg: string, line: string)
		Generated when a login dialog confuses the heuristic
		analyzer.  msg is a tag for the state mismatch that
		was unexpected, line is the corresponding dialog text.

	login_confused_text(c: connection, line: string)
		Once a connection is in the confused state, then this
		is generated for each subsequent line.

	login_terminal(c: connection, terminal: string)
		Generated if the terminal type associated with the
		connection is seen.

	login_display(c: connection, display: string)
		Generated if the display associated with the connection
		is seen.

	excessive_line(c: connection)
		Generated when the connection has produced an excessively
		long line.

  login_input_line() and login_output_line() are very powerful for
  detecting intrusions, when coupled with regular-expression matching.

  login_terminal() is used to detect backdoors that are triggered
  by the terminal environment variable.

- An ident analysis module has been added (port 113).  It generates
  ident_request, ident_reply, and ident_error events.  Port 113 used
  to be referred to as "auth"; now it's referred to as "ident".
- A new type of scan detection has been added, which is triggered
  by a remote host trying a large number of username/password
  combinations.  See the account_tried() function in scan.bro.

- The default search path for .bro files is now


  where priv-policy/ is intended for private policy and pub-policy/
  for public policy.  The Bro alpha distribution ships with a
  sample set of pub-policy scripts.

- New built-ins:

	system(s: string): int
		executes the given shell command using system()
		and returns its status.

	set_contents_file(c: conn_id, direction: count, f: file)
		copies connection c's reassembled byte stream in
		either the originator-to-responder direction (if
		direction is CONTENTS_ORIG) or the responder-to-
		originator direction (CONTENTS_RESP) to the file f.

	reading_live_traffic(): bool
		returns true if Bro is running on live traffic (read
		from a network interface), false if it's reading from
		a save file.

	mkdir(f: string): bool
		creates the given directory, returning true if it
		was able to, false if not.

	get_orig_seq(c: conn_id): count;
		returns the highest sequence number sent by the
		originator of connection c.
	get_resp_seq(c: conn_id): count;
		same for c's responder.

- Additional new events (other than those related to the new analyzers):

	new_connection(c: connection)
		is generated whenever a new connection is seen.

	partial_connection(c: connection)
		is generated whenever a new partial connection (one
		that doesn't begin with a SYN handshake) is seen.

	pm_bad_port(r: connection, bad_p: count)
		is generated when a portmapper response contains
		a bad port number.

- Functions, tables and sets can now be assigned.  Assignment is
  made by reference to the underlying object.

- Bro no longer looks up identifiers using getservbyname() to see if they
  should be interpreted as port numbers, since this led to portability
  problems.  Instead, a number of constants are defined in bro.init:
  bgp, domain, finger, ftp, gopher, http, ident, rlogin, smtp, ssh and telnet,

- Bro now supports an arbitrary number of open files (not bound by
  the system's limit on file descriptors).

- There's now a finger_reply event to go with finger_request.

- A bunch more RPC service names have been added, thanks to Job de Haas
  and others.

- A bug has been fixed in the watchdog handling that caused it to
  sometimes expire after a period of network inactivity.

- The Bro paper in doc/ has been revised (it isn't quite up-to-date,
  but considerably closer than the USENIX version).

- There has been a large amount of reworking of the internals, both
  to Bro itself and in the policy scripts.  If you find something you're
  wondering about, feel free to send me mail asking about it.

More information about the Bro mailing list