[Bro] new Bro CURRENT release (0.9a10)

Vern Paxson vern at icir.org
Tue Sep 6 22:26:15 PDT 2005

A new CURRENT release, 0.9a10, is now available from:


This release primarily includes bug fixes and portability enhancements,
though also some new features, per the appended.  The next major release
will have *extensive* additions, so I'm thinking that perhaps this will
be the last 0.9 release, and will become the new STABLE distribution
(assuming it proves to be stable over the coming months), though I haven't
decided that for sure yet.

Also note that this release marks a shift to a new FTP repository directly
off of bro-ids.org.



0.9a10 Tue Sep  6 10:41:53 PDT 2005

- Fixes for portability to 64-bit architectures (Christian Kreibich).

- Bug fix for broken syslog'ing of alarms (Scott Campbell).

- The manual has been updated to clarify that aggregate values in events
  are passed as shallow copies, so that modifications to elements of the
  values after posting the event but before it's handled will be visible
  to the handlers for the events (Christian Kreibich).

- HTTP logging now includes the host from the Host header in the request
  (Craig Leres).  Note, currenty this only is done when using http-reply.bro,
  not if you only analyze requests.

- You can now specify a passphrase for the SSL cert used for inter-Bro
  communication by redef'ing the variaable "ssl_passphrase" (Christian
  Kreibich).  Leaving it unchanged causes the passphrase to be read

- Certificates created using ca-issue now have 2-year lifetimes rather
  than the default of 30 days (Christian Kreibich).

- A problem with handshaking between Bro peers has been fixed (Christian

- A bug has been fixed in scanning false positives due to backscatter
  in the form of SYN ACKs (Vern Paxson).

- Alerts sent via email now use a From address configured from bro.cfg
  (Randy Mcclelland-Bane).  Also, if sending an alert via gpg fails,
  it's sent instead as plaintext.

- Scan notices now include information about the connection that
  triggered the scan detection decision (Vern Paxson).

- Exported some TRW variables so the user can adjust their associated
  timers (Vern Paxson).

- The new script variable dns_max_queries sets a maximum on the number of
  queries that can appear in a DNS request (Scott Campbell & Vern Paxson).
  If more queries appear, the request is treated as non-DNS traffic and
  ignored.  The variable defaults to a value of 5.  Setting it to 0 turns
  off this functionality, so Bro processes all apparent requests.

- The "weird" messages generated by the DNS analyzer now have a more
  regular naming structure and processing (Scott Campbell and Vern Paxson).

- Tweaked bif_arg.cc to pass gcc4.0 and bro.bif to not collide with
  uuid in OSX 10.4 (Jason Lee).  Now works on OSX 10.4, though use
  --disable-localpcap when compiling.

- Bro now compiles cleanly under OpenBSD (Jason Lee).

- NOTE: the connection compressor has a known serious bug and should
  not be used at present.  Since it is an experimental feature, fixing it
  is deferred to the next release.

- Some bugs fixed in the management of hash keys when using the
  connection compressor (Robin Sommer).

- Tweak for the connection compressor to generate truncated_header weird's
  (Robin Sommer).

- Temporary bug fix for type clash in SSL version numbers (Vern Paxson)
  by making them consistently of type int.  The correct fix is probably
  for them to be consistently of type count, depending on how Bro's notion
  of general version processing, and its SSL analyzer, both evolve.

- Bug fix for trace rewriting failing if Bro was not compiled to check
  assertions (Martin Casado).

- Fixed logic bug in signal handling regarding whether we're currently
  idle waiting for input vs. processing a packet or the event queue
  (Vern Paxson).  Note, this change has not been heavily tested.

- Some bug fixes for correct operation when DNS names fail to resolve
  (Vern Paxson).  It's not clear that these fixes are complete, however.

- Fixed to not compile libpcap when --disable-localpcap is given to configure
  (Jason Lee).

- Fixed configuration of local pcap for IPv6 if --enable-brov6 is specified
  (Jason Lee).

- A problem with "make install" when building from the libpcap included
  in the sources has been fixed (Christian Kreibich).

More information about the Bro mailing list