new Bro releases

Vern Paxson vern at icir.org
Sun Jul 11 10:34:17 PDT 2004


New CURRENT (0.9a3) and STABLE (0.8a87) releases are now available from:

	ftp://bro-ids.org/bro-pub-0.9-current.tar.gz
	ftp://bro-ids.org/bro-pub-0.8-stable.tar.gz

The most significant changes are to ICMP procssing, including ICMP
scan detection.  The STABLE release fixes a bug:

> - Fixed broken VLAN support (integration of original patch was incomplete).

per the appended patch.

		Vern


-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


0.9a3 Wed Jul  7 22:06:26 PDT 2004

- Improved ICMP processing, including scan detection (Scott Campbell).

- ICMP "connections" are now considered unidirectional.

- Fixed broken VLAN support (integration of original patch was incomplete).

- Fixed a bug in erroneously generating additional "ContentGap"
  alerts after an initial one.

- Connection durations are now always reported as floating-point decimal,
  never in exponential notation.

- Removed unused time parameter from a bunch of internal calls.

- Fixed some compilation warnings.

- "make clean" now removes generated policy/*.bif.bro files (Christian
  Kreibich).


-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


diff -ru bro-pub-0.8a86/CHANGES bro-pub-0.8a87/CHANGES
--- bro-pub-0.8a86/CHANGES	Fri Jun 11 01:01:53 2004
+++ bro-pub-0.8a87/CHANGES	Sun Jul 11 10:26:36 2004
@@ -1,6 +1,11 @@
-@(#) $Id: CHANGES,v 1.2 2004/06/06 17:42:53 vern Exp $ (LBL)
+@(#) $Id: CHANGES,v 1.1 2004/07/11 17:25:57 vern Exp vern $ (LBL)
 
 -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+0.8a87 Sun Jul 11 10:26:35 PDT 2004
+
+- Fixed broken VLAN support (integration of original patch was incomplete).
 
 
 0.8a86 Fri Jun 11 01:01:49 PDT 2004
diff -ru bro-pub-0.8a86/Net.cc bro-pub-0.8a87/Net.cc
--- bro-pub-0.8a86/Net.cc	Sun Mar 21 09:23:38 2004
+++ bro-pub-0.8a87/Net.cc	Sun Jul 11 10:24:48 2004
@@ -1,4 +1,4 @@
-// $Id: Net.cc,v 1.52 2004/03/21 17:23:25 vern Exp $
+// $Id: Net.cc,v 1.1 2004/07/11 17:24:11 vern Exp vern $
 //
 // Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002
 //      The Regents of the University of California.  All rights reserved.
@@ -271,6 +271,30 @@
 	current_pktsrc = soonest_ps;
 	pkt = soonest_ps->NextPacket(hdr);
 	hdr_size = soonest_ps->HdrSize();
+
+	if ( encap_hdr_size > 0 )
+		{
+		// We're doing tunnel encapsulation.  Check whether there's
+		// a particular associated port.
+		if ( tunnel_port > 0 )
+			{
+			struct ip* ip_hdr = (struct ip*) (pkt + hdr_size);
+			if ( ip_hdr->ip_p == IPPROTO_UDP )
+				{
+				struct udphdr* udp_hdr = (struct udphdr*)
+					(pkt + hdr_size + ip_hdr->ip_hl * 4);
+
+				if ( ntohs(udp_hdr->uh_dport) == tunnel_port )
+					// A match.
+					hdr_size += encap_hdr_size;
+				}
+			}
+
+		else
+			// Blanket encapsulation.
+			hdr_size += encap_hdr_size;
+		}
+
 	ts = soonest;
 
 	if ( ! pkt )
diff -ru bro-pub-0.8a86/VERSION bro-pub-0.8a87/VERSION
--- bro-pub-0.8a86/VERSION	Fri Jun 11 00:58:49 2004
+++ bro-pub-0.8a87/VERSION	Sun Jul 11 10:23:57 2004
@@ -1 +1 @@
-0.8a86
+0.8a87



More information about the Bro mailing list