[Bro] new Bro CURRENT release (0.9a9)
goeldich at ee.ethz.ch
Fri May 20 01:57:41 PDT 2005
YEAH!!! Very nice. I will test this release soon.
Thanx to all you developer.
Maybe you can fix the links on the download page of the homepage:
Zitat von Vern Paxson <vern at icir.org>:
> A new CURRENT release, 0.9a9, is now available from:
> This release includes a significant number of changes and bug fixes, per
> the appended. It has one known glitch, which is some bogus alarms generated
> when using the DNS analyzer. We hope to have those fixed soon.
> 0.9a9 Thu May 19 23:31:33 PDT 2005
> - First cut at analyzer for NFS (Vern Paxson). It generates the following
> event nfs_request_null(n: connection)
> event nfs_request_getattr(n: connection, fh: string, attrs: nfs3_attrs)
> event nfs_request_lookup(n: connection, req: nfs3_lookup_args,
> rep: nfs3_lookup_reply)
> event nfs_request_fsstat(n: connection, root_fh: string,
> stat: nfs3_fsstat)
> event nfs_attempt_null(n: connection, status: count)
> event nfs_attempt_getattr(n: connection, status: count, fh: string)
> event nfs_attempt_lookup(n: connection, status: count,
> req: nfs3_lookup_args,
> dir_attrs: nfs3_opt_attrs)
> event nfs_attempt_fsstat(n: connection, status: count,
> root_fh: string, obj_attrs: nfs3_opt_attrs)
> - The new script OS-fingerprint.bro integrates Bro's new passive OS
> fingerprinting mechanism with the software.bro framework (Vern Paxson).
> - You can now operate on patterns using && and || (Vern Paxson).
> If p1 and p2 are patterns, then p1 && p2 yields a pattern that matches
> their concatenation and p1 || p2 yields a pattern that matches either.
> Note that the syntax for this may change in the future to a single '&'
> or '|', which would be more consistent with the use of '|' in
> constructing pattern constants.
> - An experimental "connection compressor" tracks not-yet-established
> connections using much less memory than Bro normally does (Robin Sommer).
> This is potentially a major win during flooding attacks and high-speed
> scans. You activate it by setting use_connection_compressor to T. You
> can then control the granularity of its processing using the variables
> cc_handle_resets, cc_handle_only_syns, and cc_instantiate_on_data. See
> bro.init for brief discussion of these.
> - The experimental new script firewall.bro supports firewall-rule-like
> processing of connections in terms of allow/deny (Robin Sommer). It is
> not particularly efficient.
> - sensor-sshd.bro provides an experimental interface for receiving
> events from instrumented SSH servers that communicate with Bro via
> the Broccoli client library (Christian Kreibich and Robin Sommer).
> Supporting this also entailed extensions to login.bro so it can
> process the events even though they don't correspond to a connection
> known to Bro's event engine.
> - The new built-in function match_signatures() can be used in a policy
> script to send text directly into the signature engine (Robin Sommer).
> - Correction: the 0.9a8 CHANGES states that the mail_script variable used
> for NOTICE_EMAIL defaults to mail_script.sh. The correct value is instead
> - The scripts rsh.bro and passwords.bro, and the passive-fingerprinting
> signatures policy/sigs/p0fsyn.osf were inadvertantly left out of the
> 0.9a8 distribution.
> - Added s2b (snort to bro) files into the distribution. (Jason Lee)
> - Non-blocking packet capture under Linux has been fixed (Robin Sommer).
> - Fixed printing of DNS replies, which used to work but was broken
> a number of months ago (Vern Paxson).
> - The new script brolite-sigs separates out how signatures are configured
> in Bro Lite so the functionality can be enabled/disabled with a simple
> load statement (Roger Winslow). That is, to use signatures with Bro
> lite, simply add "@load brolite-sigs".
> - The new script variable enable_syslog (default T) controls whether
> alarm's are syslog'd (Robin Sommer). As before, syslogs can only happen
> when Bro is reading from live network traffic (this should be changed
> at some point, to accommodate real-time Bro's that don't read the network
> but collect events from other sensors). Previously, in that case syslog's
> always happened; now, you can turn them off using this variable.
> - The new script variable expensive_profiling_multiple controls how
> often, when doing profiling, to perform more expensive forms of
> profiling, in particular, memory consumption profiling (Robin Sommer).
> If profiling_interval is set to 15 sec and expensive_profiling_multiple
> is set to 20, then expensive profiling will be done every 5 minutes
> (these are the defaults now in profiling.bro). Also, the profiling_update
> event now includes a second argument, expensive: bool, which indicates
> whether the update corresponds to one of these expensive profiling
> - First cut at parsing DNS AAAA replies (Scott Campbell). This is quite
> incomplete - currently, the replies are turned into fake A record replies,
> due to the difficulty of dealing with IPv6 addresses if Bro wasn't built
> to analyze IPv6 traffic.
> - software.bro has been tweaked to have a new control variable,
> "only_report_local" (default F). If true, then only software versions
> for local addresses (as determined by is_local_addr()) will be
> - synflood.bro now has a script variable max_sources (default 100) that
> specifies the maximum number of sources to track for a given victim
> (Robin Sommer).
> - Remote peers now negotiate their versions of the serialization format
> (Robin Sommer). If they don't agree then the connection is terminated.
> - Generic UDP request/response processing has been moved into the new
> policy script udp-common.bro, which, unlike udp.bro, does *not* set the
> packet filter to capture all UDP traffic (Robin Sommer). A number
> of UDP-based policy scripts have been modified to use udp-common.bro
> rather than udp.bro.
> - When printing serialized/independent state, access times are now
> again included (Robin Sommer).
> - Bro's implementation of timers has been switched (reverted) to using
> priority queues (Vern Paxson).
> - The http-request.bro script variables skip_remote_sensitive_URIs and
> const sensitive_post_URIs are now exported so they can be accessed
> externally (Robin Sommer).
> - Some new rootkit filenames have been added to ftp.bro and
> http-request.bro (Brian Tierney). The plan is to eventually
> merge these lists so there's only one main list.
> - trw.bro is now scoped as a module "TRW" (Brian Tierney).
> - Better support of the '--disable-localpcap' flag to configure, and
> consolidated all the pcap checks in configure.in (Jason Lee).
> - A bug in processing bare carriage-returns in Telnet input/output
> has been fixed (Vern Paxson).
> - The Bro Lite bro.rc script has been tweaked to use the 'ax' flags
> instead of '-ax' (Jason Lee).
> - A bug with reporting ICMP "ports" (i.e., type + code) has been fixed
> (Vern Paxson).
> - Bug fix for excessively large RPC messages (Ruoming Pang).
> - A bug with /0 subnet prefixes has been fixed (Robin Sommer).
> - The function record_connection() now takes the file to write to
> as its first argument (Robin Sommer).
> - remote.bro now tracks whether a given Destination is connected
> (Robin Sommer).
> - mail_notice.sh is now installed as part of installing a distribution
> (Jason Lee).
> - Fixed bug where the sort order for the test suite changed depending
> on locale. (Jason Lee)
> - Bug fix for email_notice() when notice_action_filters not defined for
> given notice (Vern Paxson).
> - The test suite test for rare-events fixed to not give false positives
> (Jason Lee).
> - Date added for 0.9a8 release.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro