[Bro] new Bro CURRENT release (0.9a9)

Christoph Goeldi goeldich at ee.ethz.ch
Fri May 20 01:57:41 PDT 2005

YEAH!!! Very nice. I will test this release soon.

Thanx to all you developer.

Maybe you can fix the links on the download page of the homepage:


Zitat von Vern Paxson <vern at icir.org>:

> A new CURRENT release, 0.9a9, is now available from:
> 	ftp://ftp.ee.lbl.gov/bro-0.9-current.tar.gz
> This release includes a significant number of changes and bug fixes, per
> the appended.  It has one known glitch, which is some bogus alarms generated
> when using the DNS analyzer.  We hope to have those fixed soon.
> 		Vern
> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> 0.9a9 Thu May 19 23:31:33 PDT 2005
> - First cut at analyzer for NFS (Vern Paxson).  It generates the following
>  events:
> 	event nfs_request_null(n: connection)
> 	event nfs_request_getattr(n: connection, fh: string, attrs: nfs3_attrs)
> 	event nfs_request_lookup(n: connection, req: nfs3_lookup_args,
> 				rep: nfs3_lookup_reply)
> 	event nfs_request_fsstat(n: connection, root_fh: string,
> 				stat: nfs3_fsstat)
> 	event nfs_attempt_null(n: connection, status: count)
> 	event nfs_attempt_getattr(n: connection, status: count, fh: string)
> 	event nfs_attempt_lookup(n: connection, status: count,
> 				req: nfs3_lookup_args,
> 				dir_attrs: nfs3_opt_attrs)
> 	event nfs_attempt_fsstat(n: connection, status: count,
> 				root_fh: string, obj_attrs: nfs3_opt_attrs)
> - The new script OS-fingerprint.bro integrates Bro's new passive OS
>  fingerprinting mechanism with the software.bro framework (Vern Paxson).
> - You can now operate on patterns using && and || (Vern Paxson).
>  If p1 and p2 are patterns, then p1 && p2 yields a pattern that matches
>  their concatenation and p1 || p2 yields a pattern that matches either.
>  Note that the syntax for this may change in the future to a single '&'
>  or '|', which would be more consistent with the use of '|' in
>  constructing pattern constants.
> - An experimental "connection compressor" tracks not-yet-established
>  connections using much less memory than Bro normally does (Robin Sommer).
>  This is potentially a major win during flooding attacks and high-speed
>  scans.  You activate it by setting use_connection_compressor to T.  You
>  can then control the granularity of its processing using the variables
>  cc_handle_resets, cc_handle_only_syns, and cc_instantiate_on_data.  See
>  bro.init for brief discussion of these.
> - The experimental new script firewall.bro supports firewall-rule-like
>  processing of connections in terms of allow/deny (Robin Sommer).  It is
>  not particularly efficient.
> - sensor-sshd.bro provides an experimental interface for receiving
>  events from instrumented SSH servers that communicate with Bro via
>  the Broccoli client library (Christian Kreibich and Robin Sommer).
>  Supporting this also entailed extensions to login.bro so it can
>  process the events even though they don't correspond to a connection
>  known to Bro's event engine.
> - The new built-in function match_signatures() can be used in a policy
>  script to send text directly into the signature engine (Robin Sommer).
> - Correction: the 0.9a8 CHANGES states that the mail_script variable used
>  for NOTICE_EMAIL defaults to mail_script.sh.  The correct value is instead
>  "mail_notice.sh".
> - The scripts rsh.bro and passwords.bro, and the passive-fingerprinting
>  signatures policy/sigs/p0fsyn.osf were inadvertantly left out of the
>  0.9a8 distribution.
> - Added s2b (snort to bro) files into the distribution. (Jason Lee)
> - Non-blocking packet capture under Linux has been fixed (Robin Sommer).
> - Fixed printing of DNS replies, which used to work but was broken
>  a number of months ago (Vern Paxson).
> - The new script brolite-sigs separates out how signatures are configured
>  in Bro Lite so the functionality can be enabled/disabled with a simple
>  load statement (Roger Winslow).  That is, to use signatures with Bro
>  lite, simply add "@load brolite-sigs".
> - The new script variable enable_syslog (default T) controls whether
>  alarm's are syslog'd (Robin Sommer).  As before, syslogs can only happen
>  when Bro is reading from live network traffic (this should be changed
>  at some point, to accommodate real-time Bro's that don't read the network
>  but collect events from other sensors).  Previously, in that case syslog's
>  always happened; now, you can turn them off using this variable.
> - The new script variable expensive_profiling_multiple controls how
>  often, when doing profiling, to perform more expensive forms of
>  profiling, in particular, memory consumption profiling (Robin Sommer).
>  If profiling_interval is set to 15 sec and expensive_profiling_multiple
>  is set to 20, then expensive profiling will be done every 5 minutes
>  (these are the defaults now in profiling.bro).  Also, the profiling_update
>  event now includes a second argument, expensive: bool, which indicates
>  whether the update corresponds to one of these expensive profiling
>  intervals.
> - First cut at parsing DNS AAAA replies (Scott Campbell).  This is quite
>  incomplete - currently, the replies are turned into fake A record replies,
>  due to the difficulty of dealing with IPv6 addresses if Bro wasn't built
>  to analyze IPv6 traffic.
> - software.bro has been tweaked to have a new control variable,
>  "only_report_local" (default F).  If true, then only software versions
>  for local addresses (as determined by is_local_addr()) will be
>  reported.
> - synflood.bro now has a script variable max_sources (default 100) that
>  specifies the maximum number of sources to track for a given victim
>  (Robin Sommer).
> - Remote peers now negotiate their versions of the serialization format
>  (Robin Sommer). If they don't agree then the connection is terminated.
> - Generic UDP request/response processing has been moved into the new
>  policy script udp-common.bro, which, unlike udp.bro, does *not* set the
>  packet filter to capture all UDP traffic (Robin Sommer).  A number
>  of UDP-based policy scripts have been modified to use udp-common.bro
>  rather than udp.bro.
> - When printing serialized/independent state, access times are now
>  again included (Robin Sommer).
> - Bro's implementation of timers has been switched (reverted) to using
>  priority queues (Vern Paxson).
> - The http-request.bro script variables skip_remote_sensitive_URIs and
>  const sensitive_post_URIs are now exported so they can be accessed
>  externally (Robin Sommer).
> - Some new rootkit filenames have been added to ftp.bro and
>  http-request.bro (Brian Tierney).  The plan is to eventually
>  merge these lists so there's only one main list.
> - trw.bro is now scoped as a module "TRW" (Brian Tierney).
> - Better support of the '--disable-localpcap' flag to configure, and
>  consolidated all the pcap checks in configure.in (Jason Lee).
> - A bug in processing bare carriage-returns in Telnet input/output
>  has been fixed (Vern Paxson).
> - The Bro Lite bro.rc script has been tweaked to use the 'ax' flags
>  instead of '-ax' (Jason Lee).
> - A bug with reporting ICMP "ports" (i.e., type + code) has been fixed
>  (Vern Paxson).
> - Bug fix for excessively large RPC messages (Ruoming Pang).
> - A bug with /0 subnet prefixes has been fixed (Robin Sommer).
> - The function record_connection() now takes the file to write to
>  as its first argument (Robin Sommer).
> - remote.bro now tracks whether a given Destination is connected
>  (Robin Sommer).
> - mail_notice.sh is now installed as part of installing a distribution
>  (Jason Lee).
> - Fixed bug where the sort order for the test suite changed depending
>  on locale. (Jason Lee)
> - Bug fix for email_notice() when notice_action_filters not defined for
>  given notice (Vern Paxson).
> - The test suite test for rare-events fixed to not give false positives
>  (Jason Lee).
> - Date added for 0.9a8 release.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list