[Bro] new Bro CURRENT and STABLE releases (1.3 and 1.2)

Vern Paxson vern at icir.org
Mon Jul 16 23:57:27 PDT 2007

Bro release 1.3 is now available from:


This becomes the new CURRENT release.  The 1.2 branch (formerly CURRENT)
is now the STABLE release:


Most of the 1.3 changes are refinements and fixes of various sorts, as
opposed to major functionality.  The most significant new features are
that the Bro manual has now been wikified at


and Bro's analyzers for SMB, NetBIOS and NCP have a great deal more
functionality.  The appended changelog lists numerous other features/

The old STABLE release, based on the 1.1 release, remains available at


We do not anticipate making any further changes to it.



1.3 Mon Jul 16 22:11:00 PDT 2007

- The Bro manual has been wikified at:


  and this is the format in which it will evolve in the future
  (Christian Kreibich).

- Much more extensive support for SMB, NetBIOS and NCP (Chris Grier).

- The new attribute &priority=n defines the order of execution for handlers
  of the same event (Robin Sommer).  Handlers with higher priority are
  executed first.  n is an integer expression that must evaluate to a
  constant when the script is loaded.

          > cat foo.bro
          event bro_init() &priority = -5 { print -5; }
          event bro_init() &priority =  5 { print 5; }
          event bro_init()                { print 0; }	# default priority=0
          > ./bro foo.bro

  The connection_state_remove() handler in conn.bro now has priority
  -10 and therefore executes after all other handlers for this event.
  This fixes a long-standing problem of sometimes $addl fields not showing
  up in connection summaries.

- The new expressions record(...), table(...), set(...) and vector(...) 
  are constructors for the corresponding aggregate types (Vern Paxson).
  For example,

	record($foo = "hi", $bar = -6)

  is the same as the existing constructor

	[$foo = "hi", $bar = -6]

  For tables, sets, and vectors, the "..." values within the ()'s have
  the same syntax as those that you can list in variable initializations.
  For example,

	table([1, T] = "black", [4, F] = "red")

  returns a table of type "table[count, bool] of string".

	set(4, 3, -1)

  is a value of type "set[int]".

- You can associate attributes with table() and set() constructors
  (Robin Sommer).  For example:

         local s = set( &read_expire = 5 secs;

  associates a 5-second read expiration with the set assigned to s.

- Bro now explicitly supports port numbers reflecting a transport protocol
  type of "unknown" (Christian Kreibich).  Currently, this means "not TCP,
  UDP or ICMP".  The numerical value of such a port is the IP protocol,
  so ranges from 0..255.  For example:

    global p: port = 0/unknown;

    print fmt("%s", p);
    print fmt("p is TCP? %s", get_port_transport_proto(p) == tcp);
    print fmt("p is unknown? %s",
		get_port_transport_proto(p) == unknown_transport);


    p is TCP? F
    p is unknown? T

  In comparisons of different protocol types, the following holds:
  unknown < TCP < UDP < ICMP.

- If your system supports "GeoIP" (see http://www.maxmind.com/app/geolitecity
  for a corresponding city database), then the new script function

	  lookup_location(a: addr): geo_location

  returns a record of geographic information associated with an address
  (Seth Hall).  The geo_location record has $country_code, $region and
  $city fields.  If no information is available, each of these will be
  set to empty strings.

  If Bro hasn't been configured with GeoIP support, or if the address is
  IPv6 that cannot be directly converted to IPv4, then Bro produces a
  run-time error and likewise returns empty strings.

- Signature-matching on HTTP components now processes the URI with
  escape sequences expanded (Robin Sommer).  Ideally, there would be
  two signature keywords, one for decoded URIs (corresponding to this
  case) and one that allows matching against the URI as originally

- The connection compressor is no longer considered experimental, and
  is used by default (Robin Sommer).

- The new function lookup_hostname(host: string): addr_set asychronously
  looks up the IPv4 address(es) of the given host via DNS (Robin Sommer).
  Like lookup_addr(), this function can only be used within a "when"

- The new built-in

	raw_bytes_to_v4_addr(s: string): addr

  takes a string that points to at least 4 bytes, and returns an address
  corresponding to interpreting these as being an IPv4 address in network
  order (Vern Paxson; suggested by Mike Dopheide).

- Trace-rewriting support for DNS, SMB (Chris Grier).

- The new script function find_all(str: string, re: pattern): string_set
  returns a string_set giving all occurrences of the pattern "re" in
  the string "str" (Robin Sommer).  (Note that string_set's are unordered.)

- The new policy script save-peer-status.bro generates a log
  to peer_status.$BRO_LOG_SUFFIX of updates received from
  communication peers (Robin Sommer).

- The policy script print-filter.bro now includes two (scoped) variables,
  terminate_bro and to_file, which control whether to exit after printing
  the filter (default T) and whether to write to the log file
  pcap_filter.$BRO_LOG_SUFFIX or (default) to stdout (Robin Sommer).

- The new script variable check_for_unused_event_handlers controls whether
  Bro checks for unused event handlers (Robin Sommer).  It defaults to T,
  which was the past behavior (always report).

- Bro now terminates if the only pending activity is future timers
  (Robin Sommer).  It used to wait for those timers to expire, but this
  can cause fundamental problems if the timers are associated with table
  management (since these might never completely drain).

- Tables and sets inside of records are now initialized to empty
  values rather than uninitialized (Vern Paxson).

- A new variable allow_services_from (in hot.bro) complements the
  existing allow_service_to variable (Brian Tierney).  It specifies
  that access to the given service from the given originator is

- global_sizes() no longer reports internal variables (Robin Sommer).

- The IRC analyzer is now activated if any of the (many) IRC event
  handlers are defined (Robin Sommer).

- The default value for tcp_close_delay is now 5 sec rather than 0 sec
  (Robin Sommer).  This prevents some spurious connection events.

- Improved logic for dealing with "reversed" connections such
  as backscatter (Vern Paxson).

- You can now left-justify fields when using fmt() with "%-" like
  in sprintf (Christian Kreibich).

- Updates to DNS query types (Larry Leviton).

- Added mechanism to http-header.bro to skip printing some HTTP headers
  (Larry Leviton).

- The IrcHotWord notice now sets the associated connection (Robin Sommer).

- If a notice has a tag, it's no longer overridden (Robin Sommer).

- ServerFound notices now set the port field (Robin Sommer).

- The built-in lookup_ID() now returns the string "<unknown id>" if the
  ID does not exist, rather than a run-time error (Robin Sommer).

- The new tuning option ProtocolDetector::suppress_servers specifies a
  set of analyzers for which Bro generates ServerFound notices, but not
  ProtocolFound (Robin Sommer).  This both reduces log file size and
  conserves memory.

- A new notice_action_filter, tally_notice_type_and_ignore, works the same
  as tally_notice_type but returns IGNORE (Robin Sommer)

- Setting summary_interval == 0 disables the creation of irc-bots.summary.log 
  (Robin Sommer).

- If you @load foo and a directory "foo" is in your path, Bro no longer
  tries to load it (Robin Sommer).

- A number of BinPAC fixes and enhancements (Ruoming Pang, Chris Grier
  and Vern Paxson).

- BinPAC now resides in aux/binpac rather than src/binpac (Ruoming Pang
  and Christian Kreibich).  This reflects a decoupling of it from Bro so
  that it can be used to generate protocol analyzers for other projects too.

- Removed example Inktomi entries from skip_scan_sources initialization,
  since they no longer exist (Vern Paxson).

- The variable make notice_once_per_orig_tally_interval is now
  redef'able (Brian Tierney).

- SIGPROF to the communication child process now logs resource stats to
  remote.log (Matthias Vallentin).

- The new built-in getpid(): count returns Bro's process ID (Robin Sommer).

- Patterns for detecting IRC-based bots updated (Robin Sommer).

- irc-bot-syslog now logs just bots, not all IRC client/servers (Robin Sommer).

- The new variable suppress_notice_actions in notice.bro suppresses
  notice_actions events for selected notice types (Robin Sommer).

- Files opened during operation now rotate just like those opened at
  startup (Robin Sommer).

- ResourceStats now also logs elapsed time and the reported number of
  packets-on-the-link (Mark Dedlow).

- Printing a "file" value now produces its name (Robin Sommer).

- Removed deliberate truncation of payload in port 80 FIN packets
  (Vern Paxson).

- remote.log now includes received peer_descriptions (Robin Sommer).

- Significant POP3 analyzer speed-ups (Vern Paxson).

- Updated README (Vern Paxson).

- Fix for "@load a" followed by "@load a.bro" not loading the same file
  twice (Robin Sommer).

- Bug fixes for propagating state operations to uninitialized variables
  and for spurious state inconsistency messags (Robin Sommer).

- Bug fix for sending final sync-points during pseudo-realtime mode
  (Robin Sommer).

- Fix for possible buffer overflow (Christian Kreibich).

- Bug fix for spurious end-of-file's during inter-Bro communication
  (Robin Sommer).

- Bug fix for dpd_match_only_beginning=F (Robin Sommer).

- Bug fix for updating timestamps (Christian Kreibich).

- Bug fix for skipping ADU processing in adu.bro (Christian Kreibich
  and Zhichun Li).

- Fix for ICMPs that carry ICMP headers (or non-TCP/UDP/ICMP headers)
  within them (Vern Paxson).

- Fix for files being rotated after the timer queue has been deleted
  (Vern Paxson).

- Bug fix for signature-matching with IPv6 subnets (Vern Paxson).

- Bug fix for connection compressor setting connection origin (Robin Sommer).

- Bug fix for interconn.bro when processing peculiar connections (Vern Paxson).

- Fix for off-by-one buffer in sscanf call (Christian Kreibich).

- Fixed inefficiency/warning flagged by g++ (Vern Paxson).

- Bug fix for NUL string termination in SMB processing (Zhichun Li).

- Fix for over-ref'ing of file Val's (Vern Paxson).

- Fixes for some g++ warnings (Christian Kreibich, Vern Paxson).

- gcc 3.4.2 portability fixes (Robin Sommer).

- Minor build fixes for Broccoli, including a version bump to match that
  of Bro.  See aux/broccoli/ChangeLog for details.

- distcheck fixes (Christian Kreibich).

- Configuration portability fixes (Matthias Vallentin, Jean-philippe Luiggi).

- OpenBSD portability fixes (Jean-philippe Luiggi, Christian Kreibich).

More information about the Bro mailing list