new Bro pre-release available - 0.7a61

Knobbe, Roger Roger_Knobbe at
Fri Apr 6 15:04:40 PDT 2001

This is what I get

c++ -I. -O -I../libpcap-0.4  -Ilinux-include -c In function `void make_var (ID *, BroType *, init_class, Expr
*, attr_list *, decl_type, int)': conditional expression between distinct pointer types `Expr
*' and `BroType *' lacks a cast cannot convert `void *' to `BroObj *' in initialization
make: *** [Var.o] Error 1
[burner at dns-102 bro-pub-0.7a61]$ c++ -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 20000731 (Red Hat Linux 7.0)
[burner at dns-102 bro-pub-0.7a61]$

-----Original Message-----
From: Vern Paxson [mailto:vern at]
Sent: Friday, April 06, 2001 2:52 PM
To: bro at
Subject: new Bro pre-release available - 0.7a61

A new Bro pre-release is now available from:

The most timely change is the addition of an NTP analyzer that can detect
the new NTP remote root compromise attack.

A summary of the changes with respect to 0.7a48:

	- An NTP analyzer has been added.  See policy/ntp.bro for a
	  corresponding policy file that detects the newly discovered
	  NTP remote buffer overflow attack.

	- example-attacks/ is a new directory that contains trace files
	  of attacks.  Currently, there are just two to play with:

		bro -r example-attacks/ftp-site-exec.trace mt

	  will run on a trace of a "site exec" overflow attack, and

		bro -r example-attacks/ntp-attack.trace mt ntp

	  will run on an example of the NTP overflow.

	- The doc/ directory includes the postscript and HTML versions
	  of the first draft of the Bro manual.

	- A new policy file, icmp.bro, has preliminary (and only
	  partially developed) policy for analyzing ICMP.

	- The file libpcap.bufsize.patch includes the patch necessary
	  on some systems to increase the maximum libpcap buffer size.

	- You can now use anonymous functions in &default expressions,
	  so for example you can do:

		global foo: table[count] of string = {
			[1] = "1st", [2] = "2nd", [3] = "3rd",
		} &default = function(n: count): string { return fmt("%dth",
n); };

	  and then referring to foo[5] will yield "5th".

	- There's now a "for" statement to iterate over the indices of
	  a table or the members of a set:

		for ( i in foo )

	  for the above "foo" will iterate with i assigned to 1, 2, and 3;
	  *but not in general in that order*.

	- The function contains_string() has been removed, and now you
	  can instead use an expression like

		"bar" in "foobar"

	  which will yield T.
	- The scan detection now has a mechanism for attempting to detect
	  SYN flooding backscatter and flagging it as different from a
	  stealth scan.

	- New event handlers:
			like new_connection(), but reassembles the
			stream so you can use set_content_files() to
			write it to a file

			invoked when a UDP session (which is defined on
			a per-protocol basis; currently only for NTP)

			invoked for each NTP message

	- UDP processing now does accounting for detecting scans.

	- UDP processing now tracks numbers of requests/replies for
	  sessions that support that notion.  The connections are
	  annotated by udp_session_done() with "[m,n]" for "m"
	  requests and "n" replies, providing either m or n > 1.

	- New variable accessible from policy:

			how often the watchdog should check for whether
			Bro is making internal progress
	- A bunch of functions no longer have a first argument of the
	  current time; get it instead from network_time() if you need it:

	- A bunch of functions now return bool rather than int values:


	- The variable "hot_dests" has been renamed to "hot_dsts".
	- 111/tcp is now identified as "portmap" rather than "rpc".

	- Connections flagged as hot for some types of characteristics
	  are now annotated with the reason associated with the
	  decision.  (I think a lot more of this is needed.)

	- Portmapper dumps are annotated with the results of the mapping.
	  This will be streamlined in the future.

- Vern

More information about the Bro mailing list