new bro "CURRENT" release - 0.8a57

Vern Paxson vern at
Fri Dec 12 10:51:32 PST 2003

> The changes notes above don't mention the <addl> field.  Is that just
> an oversight in the notes,

Yes, just an oversight in the notes.

> Will <service> still contain port numbers?  Or will "other-nnnnn" become
> simply "other"?  (that would be my preference)

Good point.  As implemented, it continues to be other-nnnnn, but I think
just plain "other" makes more sense, since we now can finally cleanly separate
the notion of service from the notion of port.

> Although I don't know what the "neighbor net" U flag even means, I wonder
> if this is the time to drop that, as the BRO manual says the whole notion
> is historical.

The notion of "neighbor" is still used a bit in the policy scripts
(in scan.bro, in particular - different rules apply to scan detection
for activity from neighbors than from others), but arguably this should
be structured in a different fashion (a general notion of networks that
are allowed to scan), and in fact this has bitten us operationally in
the past, when a infected neighbor scanned us.

Thanks for the suggestions!


More information about the Bro mailing list