bro 0.6 alpha now available
vern at ee.lbl.gov
Wed Jul 21 23:08:18 PDT 1999
The Bro 0.6 alpha distribution is now available from
There have been a number of additions and changes. I've appended
the corresponding entries from the CHANGES file.
v0.6 Wed Jul 21 17:02:50 PDT 1999
- Support for regular expressions added. You specify lex-style regular
expressions between '/'s, for example "/\/etc\/(passwd|shadow)/" has
the type "pattern" and matches /etc/passwd or /etc/shadow (the slashes
in the pattern need to be escaped or else they'd delimit the end of the
pattern). Pattern-matching is via the "in" operator, so for example:
if ( filename in /\/etc\/(passwd|shadow)/ )
const sensitive_files = /\/etc\/(passwd|shadow)/;
if ( filename in sensitive_files )
Presently the "in" operator requires that the entire left-hand side
be matched by the pattern. So, for example, if you want to find the
string "eggdrop" anywhere inside the string "line", you would use
if ( line in /.*eggdrop.*/ )
If you leave off either of the .*'s, then eggdrop will only be matched
at the beginning or end of the line.
In the future, there will be mechanisms for specifying whether you
want to match anywhere in a line, or anchored; accordingly, *the above
syntax is subject to change*.
Bro compiles regular expressions into DFAs for fast matching. This can take
quite a bit of time for complicated patterns. Consequently, it maintains a
cache of compiled regular expressions in $HOME/.bro-RE-cache-v1. You can
always safely remove this file; Bro will recreate/repopulate it as needed.
It does not clean up unused entries from it, so if you change your patterns
frequently, you will accumulated lots of old ones and should delete the
file to garbage collect them.
- An rlogin analysis module has been added and the telnet analysis
generalized to generic "login" analysis, with the following events:
login_failure(c: connection, user: string, client_user: string,
password: string, line: string)
Generated on a failed attempt to log in. client_user is
the remote user name, if the login is via the rlogin
login_success(c: connection, user: string, client_user: string,
password: string, line: string)
Generated on a successful attempt to log in.
login_input_line(c: connection, line: string)
Generated per line of input typed by the user.
login_output_line(c: connection, line: string)
Generated per line of output generated by the server.
login_confused(c: connection, msg: string, line: string)
Generated when a login dialog confuses the heuristic
analyzer. msg is a tag for the state mismatch that
was unexpected, line is the corresponding dialog text.
login_confused_text(c: connection, line: string)
Once a connection is in the confused state, then this
is generated for each subsequent line.
login_terminal(c: connection, terminal: string)
Generated if the terminal type associated with the
connection is seen.
login_display(c: connection, display: string)
Generated if the display associated with the connection
Generated when the connection has produced an excessively
login_input_line() and login_output_line() are very powerful for
detecting intrusions, when coupled with regular-expression matching.
login_terminal() is used to detect backdoors that are triggered
by the terminal environment variable.
- An ident analysis module has been added (port 113). It generates
ident_request, ident_reply, and ident_error events. Port 113 used
to be referred to as "auth"; now it's referred to as "ident".
- A new type of scan detection has been added, which is triggered
by a remote host trying a large number of username/password
combinations. See the account_tried() function in scan.bro.
- The default search path for .bro files is now
where priv-policy/ is intended for private policy and pub-policy/
for public policy. The Bro alpha distribution ships with a
sample set of pub-policy scripts.
- New built-ins:
system(s: string): int
executes the given shell command using system()
and returns its status.
set_contents_file(c: conn_id, direction: count, f: file)
copies connection c's reassembled byte stream in
either the originator-to-responder direction (if
direction is CONTENTS_ORIG) or the responder-to-
originator direction (CONTENTS_RESP) to the file f.
returns true if Bro is running on live traffic (read
from a network interface), false if it's reading from
a save file.
mkdir(f: string): bool
creates the given directory, returning true if it
was able to, false if not.
get_orig_seq(c: conn_id): count;
returns the highest sequence number sent by the
originator of connection c.
get_resp_seq(c: conn_id): count;
same for c's responder.
- Additional new events (other than those related to the new analyzers):
is generated whenever a new connection is seen.
is generated whenever a new partial connection (one
that doesn't begin with a SYN handshake) is seen.
pm_bad_port(r: connection, bad_p: count)
is generated when a portmapper response contains
a bad port number.
- Functions, tables and sets can now be assigned. Assignment is
made by reference to the underlying object.
- Bro no longer looks up identifiers using getservbyname() to see if they
should be interpreted as port numbers, since this led to portability
problems. Instead, a number of constants are defined in bro.init:
bgp, domain, finger, ftp, gopher, http, ident, rlogin, smtp, ssh and telnet,
- Bro now supports an arbitrary number of open files (not bound by
the system's limit on file descriptors).
- There's now a finger_reply event to go with finger_request.
- A bunch more RPC service names have been added, thanks to Job de Haas
- A bug has been fixed in the watchdog handling that caused it to
sometimes expire after a period of network inactivity.
- The Bro paper in doc/ has been revised (it isn't quite up-to-date,
but considerably closer than the USENIX version).
- There has been a large amount of reworking of the internals, both
to Bro itself and in the policy scripts. If you find something you're
wondering about, feel free to send me mail asking about it.
More information about the Bro