[Bro] new Bro CURRENT release 1.1

Vern Paxson vern at icir.org
Mon May 15 13:57:22 PDT 2006

Bro release 1.1 is now available from:


This becomes the new CURRENT release.  It contains a significant number
of new features and bug fixes, per the appended change log.



1.1 Mon May 15 10:50:33 PDT 2006

- Bro now supports a "when" statement for taking action upon something
  becoming true asynchronously (Robin Sommer).  This provides a powerful
  new mechanism with numerous applications.


	when '(' <expr> ')' <stmt> [timeout <interval> '{ <stmts> '}']

  where the first <stmt> can be a single statement or a block enclosed
  in {}'s, but the set associated with "timeout" must be enclosed in
  {}'s (to reduce ambiguities in Bro's grammar).

  Bro executes the first statement when <expr> becomes true. If you give
  a timeout and the condition has not been satisfied before it expires, Bro
  executes the second statement instead.

  A simple example:

	global t: table[addr] of count;
	event connection_established(c: connection)
	    local orig = c$id$orig_h;
	    if ( orig !in t )
		t[orig] = 1;

		when ( t[orig] == 5 )
		    print fmt("%s has established 5 connections", orig);
		timeout 1 hr
		    print fmt("%s has NOT established 5 connections", orig);
		    delete t[orig];

	- The condition may be evaluated more than once, and at arbitrary

	- When the when-body is executed, the condition is guaranteed to be
	  still satisfied.

	- Expression reevaluation is primarily triggered by modifications
	  to globals.  However, reevaluations do not take place immediately
	  but potentially at a later point.  This means that if we change a
	  global to a value which would execute the trigger but then change
	  it back, the change may go unnoticed.

	- Inside the condition you may introduce new locals.  For example,

	    when ( (local x = foo()) && x == 42 ) ...

	  Such an assignment always yields true as its expression value
	  (but the assignment might be delayed, for example if foo() is
	  a delayed function call - see below).

  Delaying function calls

  Functions called inside the condition of a when-clause may delay their
  results until they're ready. This works for both script-level and built-in

  For script-level functions, there is a new construct, "return <when-stmt>",
  to delay a function's result. When used, the function returns at the
  time the when-stmt's condition becomes true, and it yields the value
  that the when-stmt's body then returns. Toy example:

      global X: table[string] of count;

      function a() : count
	    # This delays until condition becomes true.
	    return when ( "a" in X )
		  return X["a"];
	    timeout 5 min
		  return 0;

      event bro_init()
	    # Installs a trigger which fires if a() returns 42.
	    when ( a() == 42 ) { print "Yippie!"; }

	    X["a"] = 42;

  There's also a new built-in function which can delay

	lookup_addr(host: addr)

  performs asynchronous DNS address->hostname lookups. Example:

	    local h; addr;
	    when (local name = lookup_addr(h)) { print h, name; }

  See the function gen_hot_notice_with_hostnames() in conn.bro for
  a more worked-out example of using the "when" clause to translate the
  local address in SensitiveConnection notices to a hostname (contributed
  by Brian Tierney).  This functionality is activated by redef'ing
  xlate_hot_local_addr to T.

  Here is the full evaluation model of a when's condition:

       - The condition may be evaluated more than once, at arbitrary times.

       - It is always fully evaluated, no matter whether some former
	 evaluation has been suspended by a delaying function call.

       - All function calls which do not delay are always *fully* executed
	 each time the condition is evaluated.

       - Function calls which delay are only executed *once*; their result is
	 cached and re-used in the case the condition is evaluated again.

       - The condition is guaranteed to be true when the body is executed
	 (potentially using cached function results)

- By default Bro now uses a configuration similar to what used to be
  activated using reduce-memory.bro, along with some additional state
  timeouts that are new (Robin Sommer and Vern Paxson).  This allows for
  better state management out-of-the-box, at the cost of some precision
  of analysis and resilience to evasion.  In particular, the intent is to
  move towards being able to run Bro continuously without inexorably growing
  the amount of memory used until exhaustion.

  You can access a configuration similar to the previous default state
  management settings by loading heavy-analysis.bro.  It turns on a
  load-prefix of "heavy", so when you load XXX.bro, a file heavy.XXX.bro
  will also be automatically loaded if present.  Note that, as was the
  case for reduce-memory, you need to load heavy-analysis prior to other
  files for it to have effect.

- The new module clear-passwords.bro monitors login/FTP/IRC/POP traffic
  for cleartext passwords (Jason Lee).

- The new script service-probe.bro looks for remote hosts that repeatedly
  connect to the same service on local hosts (for a configurable set of
  services and connection sizes) in order to detect brute-forcing attacks
  such as password-guessing (Jim Mellander).

- A new ARP analyzer generates three events:

	event arp_request(mac_src: string, mac_dst: string,
			SPA: addr, SHA: string, TPA: addr, THA: string);

	event arp_reply(mac_src: string, mac_dst: string,
			SPA: addr, SHA: string, TPA: addr, THA: string);

	event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string,
			explanation: string);

  with a corresponding policy script arp.bro (Chema Gonzalez and Vern Paxson).
  It writes logs to arp.$BRO_LOG_SUFFIX.  It has not been tested much yet.

- Bro Lite changes (Jason Lee):
	- default user for is now user 'bro'
	- now uses the correct sysctl on FreeBSD 6
	- now uses the correct Perl path if site-report.pl not installed
	  into '/usr/local/bro'
	- no longer prompts to encrypt email unless you pick to email reports

- The default Bro Lite install now only checkpoints Bro once a week
  (Brian Tierney).

- Implicit Bro file extensions (such as .bro for policy scripts and .sig
  for signatures) are now searched for first rather than only if the
  non-extension-version of the file doesn't exist (Vern Paxson).  For
  example, running "bro -r trace mt" now first searches $BROPATH for
  "mt.bro" before searching for "mt", whereas it used to do these in
  the other order.

- There's now a simpler mechanism for redef'ing variables on the command-line
  (Christian Kreibich).  Any command line arguments of the form <var>=<val>
  are now expanded into policy code of the form "redef var=val;", where
  <val> is wrapped in quotation marks if the value appears to be a string
  and doesn't have quotation marks already.  This works with strings with
  whitespace such as foo="Hello World"; however, note that it means you
  can't use the mechanism to redef an enum value.

- The Bro distribution now includes (and builds by default) Christian
  Kreibich's Broccoli library (Bro C Client Library), which enables programs
  to communicate with running Bro's (Christian Kreibich and Jason Lee).
  Configure with --disable-broccoli to turn this off.

- Built-in functions log(x: double): double and exp(x: double): double
  which do natural logarithms and their inverses (Jaeyeon Jung).

- The new built-in function gethostname() returns the local host's name
  (Jason Lee & Robin Sommer).

- The new built-in function reading_traces() returns true if Bro
  is reading trace files (Robin Sommer).

- The new built-ins suspend_processing() and continue_processing() provide
  script-level control for instructing the event engine to stop or resume
  processing packets (Robin Sommer).  This is useful for coordinating
  simultaneous processing by multiple Bro's.

- Email notices are now by default sent via /bin/mail, with "[Bro Alarm]"
  in the subject.

- redef'ing a function now replaces the existing body rather than
  supplementing it (Robin Sommer), which was a bug.

- You can now configure Bro to process encapsulated IP packets either
  by setting, as before, a fixed encap_hdr_size (for VLANs), or setting
  parse_udp_tunnels to T (Ruoming Pang).  For the latter, you specify a
  UDP tunnel port using udp_tunnel_port (the previous variable "tunnel_port"
  has gone away); or you can leave it set to its default of 0/udp, in which
  case Bro will look for IP encapsulated in UDP packets on any port.

- Added a simple form of profiling based on sampling the work done
  per-packet (Vern Paxson).  The event engine generates a

	event load_sample(samples: load_sample_info, CPU: interval, dmem: int)

  event every load_sample_freq packets (roughly; it's randomized), where
  load_sample_freq defaults to 20.  "samples" is simply a set[string]; it
  contains the names of the functions, event handlers, and their source
  files that were accessed during the processing of the sampled packet,
  along with an estimate of the CPU cost of processing the packet and
  (currently broken) memory allocated/freed.

- Bro now includes experimental support for Endace DAG cards (Gregor Maier
  and Robin Sommer).  To activate, configure with


  and use "dag0" as the network interface. You may need to configure the
  card with the dagtools first. In general, if dagsnap works, Bro should
  work as well.

- Log rotation has changed in a number of ways (Mark Dedlow & Robin Sommer):

	  * The new variable log_rotate_base_time: string, if defined,
	    specifies that logs should be rotated at log_rotate_base_time +
	    i * rotate_interval intervals. Format is as a string in
	    24-hour time, "%H:%M", e.g, "12:00".  This format may change
	    in the future to instead be a Bro time type.

	  * RotateLogs::date_format can be redefined to change format of
	    timestamps in rotated files.

	  * RotateLogs::build_name() can be redefined to implement an
	    arbitrary naming scheme for rotated files.

  Note, this code has not been extensively tested.

- Bro now by default builds a version of malloc bundled with its
  distribution (Vern Paxson & Brian Tierney).

- The syntax for the clone operator now looks like a function call,
  "copy(x)" (Vern Paxson).

- The new flag DNS::logging (default F), if T, disables generation of
  dns.log (which is often uninteresting and very large), though it
  still performs analysis leading to NOTICEs (Robin Sommer).

- A new global, hostile_domain_list, has been added to dns.bro which
  lists domains to be flagged if A or MX records are queried (Scott Campbell).

- Added globals dns_skip_all_{auth,addl} to skip all DNS AUTH/ADDL processing
  (Vern Paxson).  Skipping these is on (true) by default, because such
  processing is quite expensive.

- backdoor.bro now turns off by default some detectors that from experience
  have too many false positives, or (such as for HTTP) too many uninteresting
  true positives (Brian Tierney).  In addition:

	- the module now generates a BackdoorFound notice for each backdoor

	- the new variable dump_backdoor_packets (default F) if set causes
	  the packet that triggered the backdoor detection to be written to

	- the new variable backdoor_ignore_host_port_pairs is a set[addr, port]
	  specify host/port combinations to ignore

	- 587/tcp is now recognized as another SMTP port, and 7000/tcp as
	  a popular IRC port ignored by default

	- brolite-backdoor.bro is a sample of using backdoor.bro

- A bunch of enhancements and fixes for the IRC backdoor detector
  (Vern Paxson).

- The cf utility in aux/cf/ now gets the format to use (unless you specify
  -f fmt) from $CFTIMEFMT in the environment.  You can now specify -f
  without a format to revert to the default format.  This change also
  includes a significant performance improvement when processing large
  files (Mark Dedlow and Craig Leres).

- Cleanups for brolite.bro and brolite-backdoor.bro (Brian Tierney).
  brolite.bro now uses rotate-logs by default.

- backdoor.bro now enables analysis of partial connections (Vern Paxson).

- brolite config cleanup: removed smtp.bro from default, increased
  max_timer_expires, changed default BROPATH to look at site dir
  first (Brian Tierney).

- The reference manual has been updated for the terminology changes
  of log -> alarm, alert -> notice, and rule -> signature (Vern Paxson).
  Some vestiges of the older terminology remain, in part because they're
  still present in some facets of Bro.

- The new script function get_current_packet(): pcap_packet returns
  the current packet as a "pcap_packet" record with fields $ts_sec,
  $ts_usec, $caplen, $len (all of type count) and $data (a string)
  reflecting the corresponding libpcap values (Christian Kreibich).
  You can write this packet to a dump file using the new function
  dump_packet(pkt: pcap_packet, file_name: string): bool, which writes
  (or appends) the packet to a file of the given name, returning T
  on success and F on error.

- The new fmt() specifier 'T'  converts values of type "time" to ISO
  format timestamps, analogous to how 'D' does this for ISO dates
  (Mark Dedlow).  fmt("%T", <time>) is equivalent to
  fmt("%s", strftime("%F-%T.%N", <time>)), except that strftime
  does not (yet) offer "%N" for nanoseconds (but see 'date +%F-%T.%N').

- The new %S format for fmt() inserts a "raw" version of the given string -
  that is, embedded NULs, control characters, etc., are present without
  any escaping (Christian Kreibich).

- Zero-padding and field widths now work for all fmt() formats rather than
  just %e/%f/%g (Christian Kreibich).   For example, you can now say:

	local filename = fmt("log-%04.txt", ++counter);

  and get logfiles log-0001.txt, log-0002.txt, ..., log-0999.txt, etc.

- The 'x' format specifier now supports values of type "addr", converting
  them t hex (Mark Dedlow).  For example,

	  fmt("str=%s hex=%x",,


	str= hex=01020304

  The field designation is either %08x (if compiled for IPv4 only) or
  %08x%08x%08x%08x (if compiled with IPv6 support).

- firewall.bro has been extended to support multiple independent
  rule-sets (by calling begin() for the start of the next one),
  specifying sets of addresses, being FTP-aware, and with a more
  streamlined Notice message (Robin Sommer).

- The HTTP script variables maintain_http_sessions and http_sessions
  are now exported so they can be redefined or, for the latter, have
  timeouts added/adjusted (Robin Sommer).

- You can load the new policy script log-append.bro to change Bro's
  behavior so that when it runs appends to existing log files rather
  than overwriting them (Mark Dedlow).

- New &disable_print_hook attribute for files (Robin Sommer).  If set,
  print statements to the file don't trigger the print_hook event.  This
  is useful to keep the output of certain files from being propagated to

- You can now associate "classes" with remote peers (Robin Sommer).  When
  connecting, a node may send a specific class to which it considers itself
  belonging. The accepting side can then tune its configuration based on
  the received class.

  This is primarily for the having multiple unrelated Broccolis running on the
  same host, all connecting to the same remote Bro (e.g., sshd and syslog

  To use this, on the Bro side the record Remote::Destination now has a
  field "class: string" (default: unset).  If set, the given config entry
  only applies for connecting remote peers that send the given class.
  If it is set and we're connecting to another peer, we propagate the class.


      On the listening Bro:

	    redef Remote::destinations += {
		["peer-1"] =
			[$host =, $class="ftp", $events = /ftp.*/],
	        ["peer-2"] =
			[$host =, $class="http", $events = /http.*/]

      On peer 1:

	    redef Remote::destinations += {
		  ["master"] =
			[$host =, $class="ftp",
			 $events = /.*/, $connect=T]

      On peer 2:

	    redef Remote::destinations += {
		  ["master"] =
			[$host =, $class="http",
			 $events = /.*/, $connect=T]

  All of these may run on the same host.

- A bunch of changes to adu.bro (Christian Kreibich):

	- New ADU_MAX_DEPTH limits depth (at ADU granularity) into a
	  flow up to which ADUs are reported.

	- Handles UDP.

	- New event adu_done(c: connection) signals that no further ADUs
	  will be delivered for a connection.  This is useful since adu.bro
	  relies on event connection_state_remove() to remove state, and
	  if a policy using adu.bro likewise uses this event type then
	  event sequencing can cause adu_tx/rx events to occur after
	  connection_state_remove() has been processed.

	- Now correctly clips ADU to maximum allowed size.  (Note, this
	  has been temporarily commented out because it relies on a new
	  string function that has not yet been integrated into the
	  main distribution.)

	- Now can ignore specific connections dynamically.

	- TCP content gaps are now recognized and ADU delivery is for now
	  stopped for such flows, unless explicitly requested. 

	- No longer logs to file in test mode.

- The new function add_notice_tag() explicitly adds a unique notice tag
  to a connection's $addl field (Robin Sommer).  This is sometimes necessary
  to ensure that the tag appears in the connection summary.

- Bro now performs serialization (such as when checkpointing &persistent
  tables or communicating them between Bro's) in an incremental fashion,
  intermingling transfers of large tables with ongoing packet processing
  (Robin Sommer).  Doing so helps avoid packet drops for large items. 
  This has not yet been implemented for the initial handshake done
  for &synchronized items.

- ssl.bro now stores certificates by default in the subdirectory "certs/"
  (Robin Sommer).

- Analysis of weak/unknown ciphersuites in ssl.bro reworked (Holger Dreger).

- New cipher for SSL analysis, SSL_CK_RC4_64_WITH_MD5 (Holger Dreger).

- load-levels and cpu-adapt now log their adaptations to the log file
  rather than generating alarms (Robin Sommer).

- The default adaptation levels in cpu-adapt have been tweaked for better
  behavior (Robin Sommer).

- A new structure of the event loop (implemented by Robin Sommer) is now
  enabled during configuration by default (Christian Kreibich).  You can
  revert to the previous structure using --disable-select-loop.

- When configuring Bro, the version of pcap that comes with the Bro
  distribution is no longer used by default (Jason Lee).  Instead,
  the system one is used, or one at the same directory level as Bro.
  To use the Bro distribution version, configure with --enable-shippedpcap.

- backdoor.bro now has comments clarifying that it does not itself
  alter capture_filters (Vern Paxson).

- If you set backdoor_stat_period to 0 sec, then this now turns off
  the periodic component of backdoor analysis (Holger Dreger).

- The filters specified in notice_action_filters now take an additional
  argument specifying the action that has been determined so far (Robin
  Sommer).  This allows the filter to decide to not change the current
  action, if it so wishes.

- The new event notice_alarm(n: notice_info, action: NoticeAction) is
  generated for every notice that results in an alarm (Robin Sommer).

- Tallying of notices is now done using a notice, which has type NoticeTally
  (Robin Sommer).

- The new notice action filter alarm_always_notice specifies an action
  of NOTICE_ALARM_ALWAYS (Vern Paxson).

- If the watchdog expires and Bro isn't generating a packet trace file,
  the current packet is saved to "watchdog-pkt.pcap" (Robin Sommer).

- New boolean globals tcp_contents_deliver_all_{orig,resp} allow easy
  requesting of content delivery for all TCP traffic in orig/resp directions
  (Christian Kreibich).

- The new event udp_contents(u: connection, is_orig: bool, contents: string)
  delivers the contents of UDP packets analogous to tcp_contents (Christian
  Kreibich).  The boolean globals udp_content_deliver_all_{orig,resp} and
  tables udp_content_delivery_ports_{orig,resp} control for which ports
  content is delivered, analogous to the globals that control tcp_contents.

- New option --set-seed=n sets the random number seed to n (Vern Paxson).

- Notices now report current time for remotely-received notices rather
  than network time (Brian Tierney).
- Notices now include a tag es=<peer_description> any time a peer
  description is defined, not just for remote notices (Robin Sommer).

- The global log_as_connection has been removed from icmp.bro, which now
  only logs ICMP flows via the usual connection logging (Vern Paxson).

- The Destination variable $accept_state has been renamed $accept_input
  to better reflect its meaning (Vern Paxson).

- A remote destination's $sync field now indicates whether to accept
  ongoing state changes from peers, rather than just upon start-up
  (Robin Sommer).  The variable $accept_state controls whether we
  accept events.

- Logging of forms of Bro communication has been unified (Robin Sommer).

- Updates for packet filtering documentation (Christian Kreibich).

- A new global, stp_skip_src, lists sources that should be skipped for
  stepping-stone analysis (Vern Paxson).  ssh-stepping.bro adds sources to
  this list if they've instantiated more than src_fanout_no_stp_analysis_thresh
  connections, keeping them blocked until they've been idle for 15 seconds.

- Added a default notice-policy.bro as an example (Brian Tierney).

- Expanded on descriptive text in notice-policy.bro (Vern Paxson).

- ef removed from aux/hf/, as it's of little use and a headache to
  maintain for portability (Vern Paxson).

- The version of libpcap bundled with the distribution has been
  elevated to 0.8.3 (Jason Lee).

- Bro now compiles again if non-blocking DNS is not available (Robin Sommer).

- Resource statistics logging now differentiates between offline
  processing vs. remote-communication-only (Mark Dedlow and Robin Sommer).

- The script variable ICMP::distinct_pairs now times out its state,
  with a default of 15 minutes after creation (Robin Sommer).

- The Bro version reported now includes "-debug" if Bro was configured
  with --enable-debug (Robin Sommer).

- scan.bro now defaults "shut_down_all_scans" to T, meaning it by
  default detects scans on all ports, not just those in the set
  shut_down_scans (Vern Paxson).  Please note, this variable is
  misnamed - it should be "detect_all_scans" - but that change is
  waiting on reworking the basic structure of scan detection.

- Major bugfix for signature matcher missing matches on analyzer data
  (Robin Sommer).  For example, a condition "http /foo/" would only have
  match with the first URL in a connection, not subsequent ones.  Fixing
  this changes the calling sequence of the match_signatures() built-in to
  take an additional final parameter, "clear", which, if set, resets the
  matcher to its starting state prior to matching.

- Serious bug in regular expression matching - and hence signature engine -
  fixed (Robin Sommer).

- Bug fix for formatting (via fmt()) of very long strings (Vern Paxson).

- Fixed mail_reports.sh to correctly find sendmail binary on various systems
  (Brian Tierney).

- Numerous changes to Bro's internal string representation, and more
  flexibility in how strings are rendered for display (Christian Kreibich).

- Pseudo-real-time now can be initialized using an optional argument
  that corresponds to the degree of time compression (Robin Sommer).
  For example, --pseudo-realtime=0.5 causes time to advance half as fast
  as it would in real-time.  The default value is 1.0; any value > 0 is

- The SSH analyzer now looks for just linefeeds as line terminators when
  extracting version strings, rather than carriage-return-line-feeds, to
  match actual implementations rather than the RFC (suggested by Chema

- Playing back events from files now working again (Robin Sommer).

- Bro now uses current_time() rather than network_time to track the
  modification time of variables, since network_time doesn't advance
  when only receiving events (Robin Sommer).

- Bug fixes for IPv6 support, including processing UDP traffic
  (which had been completely broken) and subtle interactions (actually,
  lack thereof) between the connection compressor and IPv6 that
  could lead to crashes (Vern Paxson).

- Portability tweaks for NetBSD, 64-bit Linux SuSe and FreeBSD 5.4
  (Christian Kreibich, Jason Lee and Vern Paxson).

- Bug fix for IPv6 "::" constants that start with hex digits specified
  using 0x (Vern Paxson).

- Calling the built-in terminate() function twice now has no additional
  effect (Christian Kreibich).  It used to terminate Bro abruptly, without
  cleanly shutting down.

- Removed active.bro; use active_connection() + connection_record() instead
  (Vern Paxson).

- Bro lite reports now work with rotated logs files (Brian Tierney)

- Bug fix for conditions such as "payload /^user/", which now work equivalent
  to "payload /user/" (Robin Sommer).

- Tweaks to sensitive patterns in HTTP request URIs to reduce false
  positives (Brian Tierney).

- Bug fixes for strip() built-in function (Holger Dreger).

- Memory leak in built-in function to_addr() fixed (Ruoming Pang).

- Bug fix for "hot" connections sometimes not having their notice tag
  appearing in connection summaries (Robin Sommer).

- Bug fixes for IRC analysis (Vern Paxson and Robin Sommer).

- Syslogging now works if Bro is running in communication-only mode
  i.e., live, but not reading a network interface (Robin Sommer).

- Bug fix to allow tuning of TRW parameters (Vern Paxson).

- Bug fixes for SSL analysis (Holger Dreger).

- Removed logic that inverted orig/resp in some scans (Vern Paxson).

- Lint & memory allocation tweaks (Vern Paxson).

- Bug fixes for inactivity timeouts (Robin Sommer).

- Bug fix for Bro Lite cron job (Jason Lee).

- When binding to a listening port for remote communication fails,
  the port number is now reported (Robin Sommer).

- Some spurious reporting removed from configure output (Jason Lee).

- Fix for "weird"'s generated by connection compressor but not
  recognized at the policy script level (Vern Paxson).

- Fixes for detecting content gaps and not matching previously delivered
  data (Ruoming Pang).

- Bug fixes for TCP rewriter (Ruoming Pang).

- Bug fixes for crashes in SSL analyzer (Vern Paxson).

- Bug fix for avoiding busy-waiting when a communication child dies
  (Robin Sommer).

- Bug fix for BiF's that use 'T' and 'F' in character constants
  (Vern Paxson).

- Memory leak fixes (Robin Sommer, Christian Kreibich, Vern Paxson and
  Ruoming Pang).

- The peer table for inter-Bro communication is now correctly indexed by a
  peer_id (Robin Sommer).

- Bug fix for exchange of initial &synchronized state which could
  prevent communication from entering main phase (Robin Sommer).

- Bug fix for propagating incremented table values derived from
  a table's &default (Robin Sommer).

- Bug fixes for the POP3 analyzer when analyzing non-NUL-terminated strings
  or bad base64 encodings (Vern Paxson).

- Updates for Bro's internal hash functions (Ruoming Pang).

- The debug and communication log files now comply with $BRO_LOG_SUFFIX
  (Robin Sommer).

- Some internal debugging additions (Ruoming Pang).

- Internal cleanup regarding "const" strings (Ruoming Pang).

- A number of casts changed to use modern C++-style pointer casting
  such as reinterpret_cast and static_cast (Ruoming Pang).

- Bug fixes for inter-Bro communication on 64-bit systems (Robin Sommer).

- Bug fixes for detecting errors for SSL connections (Robin Sommer).

- Potential null pointer dereference fixed (Robin Sommer).

- Inter-Bro communication is now more reliable in the presence of errors
  (Robin Sommer).

- Performance enhancement for tracking values whose elements might
  change (Robin Sommer).

- Fixes for peers having differing enum lists (Robin Sommer).  This can
  occur because they're running different scripts and which do different
  redef +='s to add enum values.

- += now works for interval types (Vern Paxson).

- Bug fix for exchanging peer descriptions (Robin Sommer).

- Bug fix for processing multipart-MIME HTTP messages with content-length 
  headers (Ruoming Pang).
- Bug fix for failing to escape "'s in HTTP server replies (Robin Sommer).

- Bug fix for propagating increment operations on tables (Robin Sommer).

- Bug fixes for files (Robin Sommer): set open time to current time if
  network time is not initialized; when deserializing files, prevent them
  from being closed immediately due to reference-counting interaction.

- Bug fix to prevent reporting some scans twice (Robin Sommer).

- Bug fix for printing enum's (Christian Kreibich).

- When not configured with --enable debug, Bro now still accepts (yet ignores)
  option -B (Robin Sommer). 

- Serialization enhancements and fixes, including a change of the
  protocol version number (Robin Sommer).

- Bug fix for logging inter-Bro communication (Robin Sommer).

- Bug fixes for enumerating attributes and timers (Robin Sommer).

- Bug fix for signatures matching first on one side of the connection,
  and then on the other, being reported twice (Robin Sommer).

- Inter-Bro communication now continues to work even when packet processing
  has been suspended (Robin Sommer).

- Fix for running multiple Bro's together in pseudo-realtime (Robin Sommer).

- Tweak to print-resources.bro so it can be loaded standalone (Vern Paxson).

- Bug fix for &persistent state not being save if Bro wasn't running
  with an input source (Robin Sommer).

- Bug fix for which process ID to check to see if children are still alive
  (Robin Sommer).

- Bug fix for no longer crashing if the expiration function associated
  with a table deletes the element from the table rather than returning
  an interval of 0 secs to indicate it should be deleted (Chema Gonzalez).

- Bug fix for OutboundTFTP notice: now checks to ensure that not only is
  the source local, but the destination is not local (Vern Paxson).

- Bug fix for a subtle interaction mediated by errno, which could cause a
  failed read() to later confuse pcap_dispatch() (Chema Gonzalez).

- Bug fix for TCP contents assertion checking (Ruoming Pang).

- Bug fix for error output on small RPC fragments (Ruoming Pang).

- Fix for connection compressor bug in tracking connection history
  (Robin Sommer).
- Bug fix for potential floating point exception in signature engine's
  resource-profiling code (Robin Sommer).

- Bug fix for low-level List data structure when replacing a list element
  beyond the end of a list (Robin Sommer).

- Bug fix in initializing capabilities when setting up communication between
  Bro peers (Robin Sommer).

- A number of connection compressor bug fixes: weird's for spontaneous
  FINs and RSTs, consistent processing of "connections" that begin with
  RSTs, correct checksum computations, and weird's printed to stderr if
  no event handler defined (Robin Sommer).

- load_sample_freq is now &redef (Vern Paxson).

- Bug fix for backdoor detector incorrectly matching substrings (Vern Paxson).

- Bug fix for canceling timers sometimes failing to cancel all of
  them (Robin Sommer).

- Error handling during un-serialization now handled more robustly
  (Robin Sommer).

- Bug fix for division by zero if expensive_profiling_multiple
  set to zero (Robin Sommer).

- Bug fix for connection logs failing to track all of the annotation
  ($addl) associated with a connection (Vern Paxson).

- Portability fix for BinPAC (Ruoming Pang).

- Fix to NFS analyzer for missing values in events reporting failed requests
  (Vern Paxson).

- autogen.sh now aborts as soon as one of the tools it invokes fails
  (Christian Kreibich).

- Fixed bug where not having SSL would cause bro to not compile (Jason Lee).

- State-holding fix for adu.bro (Christian Kreibich).

- A number of configuration tweaks (Craig Leres & Christian Kreibich).

- Fix for sig-functions.bro: checks isApache* functions, which ensure
  that Apache is indeed in the software set before accessing the index
  (Brian Tierney and Robin Sommer).

- Smith-Waterman fixes and test suite script (Christian Kreibich).

More information about the Bro mailing list