new Bro release available - 0.8a1
vern at icir.org
Sat Sep 21 22:22:37 PDT 2002
A new Bro alpha release is now available from:
This is a "bleeding edge" release with a number of changes (appended).
The current stable release remains 0.7a175b, available from:
0.8a1 Sat Sep 21 22:09:23 PDT 2002
- IPv6 support enabled if you build using -DBROv6. Deficiencies: Bro
doesn't yet look up hostnames for AAAA records; no handling of extension
headers (if you have traces of these, please send them to me!); no
handling of FTP PORT/PASV w/ IPv6 addresses (again, if you have traces,
please send them!); DNS analyzer doesn't understand AAAA yet (again,
please send me traces!); you have to change the capture_filter line
in tcp.bro (as indicated in the script) in order to process TCP traffic,
due to deficiencies in libpcap's support for IPv6.
- Bro is migrating towards a more structured way of handling log messages /
alerts. Analyzers now @load alert.bro, which has a function ALERT()
for processing alerts. Soon this function will provide a variety of
filtering/processing hooks; expect changes.
- Bro now has an HTTP response analyzer (contributed by Ruoming Pang).
The HTTP policy scripts have been split up into http.bro (just general
definitions), http-request.bro (handles requests; loaded by http.bro),
http-reply.bro (handles replies; you need to explicitly load this), and
http-detail.bro (handles individual headers). http-reply.bro will be
undergoing some significant reworking in the near future; probably the
scripts will be merged back into a single http.bro plus http-detail.bro.
- ssl-worm.bro contains a prototype policy script for detecting the
Scalper SSL worm (contributed by Robin Sommer). It uses the signature
file sig.ex.ssl-worm.bro. If someone has traces of Scalper in action
to send us, that would be great.
- A new policy script, contents.bro, extracts the contents of each
Bro connection into its own pair of files (one file for each
direction). Use in conjunction with -f or discarder_XXX() to
extract specific connections.
- A new built-in function, strcmp(), returns the usual comparison between
two strings (contributed by Robin Sommer).
- A new event, content_gap(), is generated when Bro detects that it is
forced to skip over data in a reconstructed TCP stream because it is
missing from the packet input.
- BIND8 is no longer included with the distribution. If this causes you
problems, let me know.
- aux/scripts/bro_logchk is a Perl script for parsing Bro HTTP & FTP logs
(contributed by Jim Barlow).
- You can now compare addresses to see which is larger. a < b means
that in network order, the octets making up 'a' are ordered before
those for 'b'. E.g., 220.127.116.11 < 18.104.22.168 < 22.214.171.124. Note that
IPv4 addresses are all < IPv6 addresses (other than IPv4 addresses
that are embedded in IPv6 addresses, e.g., ::126.96.36.199 < 188.8.131.52).
- Serious bug in TCP option handling fixed.
- Some bugs in CRLF handling fixed (courtesy Ruoming Pang).
- Bug in the implementation of &optional fixed.
- Bug in computing memory statistics when not reading packets (from
an interface or the trace file) fixed.
- You can now include a trailing comma after the last item in an
"enum" enumeration list.
- port-name.bro now maps 389/tcp to "ldap".
- A bug has been fixed in loading files multiple times
More information about the Bro